Merge "Fix an OOB write in SDP_AddAttribute" into tm-dev am: 45e8d2dc90 am: 695d4eaba8 (b7f6dfaf) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/sdp/sdp_db.cc

+15 −5

Original line number	Diff line number	Diff line
		@@ -355,6 +355,11 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
		uint16_t xx, yy, zz;
		tSDP_RECORD* p_rec = &sdp_cb.server_db.record[0];

		if (p_val == nullptr) {
		SDP_TRACE_WARNING("Trying to add attribute with p_val == nullptr, skipped");
		return (false);
		}

		if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
		if ((attr_type == UINT_DESC_TYPE) \|\|
		(attr_type == TWO_COMP_INT_DESC_TYPE) \|\|
		@@ -402,6 +407,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
		if (p_rec->record_handle == handle) {
		tSDP_ATTRIBUTE* p_attr = &p_rec->attribute[0];

		// error out early, no need to look up
		if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
		SDP_TRACE_ERROR("the free pad for SDP record with handle %d is "
		"full, skip adding the attribute", handle);
		return (false);
		}

		/* Found the record. Now, see if the attribute already exists */
		for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
		/* The attribute exists. replace it */
		@@ -440,15 +452,13 @@ bool SDP_AddAttribute(uint32_t handle, uint16_t attr_id, uint8_t attr_type,
		attr_len = 0;
		}

		if ((attr_len > 0) && (p_val != 0)) {
		if (attr_len > 0) {
		p_attr->len = attr_len;
		memcpy(&p_rec->attr_pad[p_rec->free_pad_ptr], p_val, (size_t)attr_len);
		p_attr->value_ptr = &p_rec->attr_pad[p_rec->free_pad_ptr];
		p_rec->free_pad_ptr += attr_len;
		} else if ((attr_len == 0 &&
		p_attr->len !=
		0) \|\| /* if truncate to 0 length, simply don't add */
		p_val == 0) {
		} else if (attr_len == 0 && p_attr->len != 0) {
		/* if truncate to 0 length, simply don't add */
		SDP_TRACE_ERROR(
		"SDP_AddAttribute fail, length exceed maximum: ID %d: attr_len:%d ",
		attr_id, attr_len);