Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b23562fa authored by Srinu Jella's avatar Srinu Jella Committed by Andre Eisenbach
Browse files

SDP: Validate input UUID's length 

Use case: Crash observed during BT IOT testing

1. Try to pair to the remote device.
2. Connect  to the remote device's audio profiles.
3. Remote device has given the wrong UUID's length.This will leads to crash.

Failure: crash observed during profile connection

Root cause: Remote sent invalid UUID length,which is causing crash
in comparison logic.

Fix: Validate input UUID's length before going for actual comparison.

Bug: 19417758
Change-Id: I8216d17e3f6cc22dfbeca4b31972b5b5584a73ea
parent fea8ea42

system/stack/sdp/sdp_utils.c

+9 −2
Original line number Diff line number Diff line
@@ -669,6 +669,13 @@ BOOLEAN sdpu_compare_uuid_arrays (UINT8 *p_uuid1, UINT32 len1, UINT8 *p_uuid2, U 
    UINT8       nu1[MAX_UUID_SIZE];

    UINT8       nu2[MAX_UUID_SIZE];



    if( ((len1 != 2) && (len1 != 4) && (len1 != 16)) ||

        ((len2 != 2) && (len2 != 4) && (len2 != 16)) )

    {

        SDP_TRACE_ERROR("%s: invalid length", __func__);

        return FALSE;

    }



    /* If lengths match, do a straight compare */

    if (len1 == len2)

    {
@@ -696,7 +703,7 @@ BOOLEAN sdpu_compare_uuid_arrays (UINT8 *p_uuid1, UINT32 len1, UINT8 *p_uuid2, U 


            if (len2 == 4)

                memcpy (nu2, p_uuid2, len2);

            else

            else if (len2 == 2)

                memcpy (nu2 + 2, p_uuid2, len2);



            return (memcmp (nu1, nu2, MAX_UUID_SIZE) == 0);
@@ -719,7 +726,7 @@ BOOLEAN sdpu_compare_uuid_arrays (UINT8 *p_uuid1, UINT32 len1, UINT8 *p_uuid2, U 


            if (len1 == 4)

                memcpy (nu1, p_uuid1, (size_t)len1);

            else

            else if (len1 == 2)

                memcpy (nu1 + 2, p_uuid1, (size_t)len1);



            return (memcmp (nu1, nu2, MAX_UUID_SIZE) == 0);