Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ba02c56f authored by Yamei Du's avatar Yamei Du Committed by Ting Zheng
Browse files

Fix out-of-bounds reading when copy SDP raw data 

When no attribute is returned in the SDP response, the cpy_len will be
MAX_DISC_RAW_DATA_BUF, this will cause out-of-bonds reading of source
buffer when copy the response raw data.

Change-Id: I923d8ee7e08f935e13cec38b75a04beca6174452
parent f0c7fad8

system/stack/sdp/sdp_discovery.cc

+1 −1
Original line number Diff line number Diff line
@@ -349,7 +349,7 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { 
      type = *p++;

      p = sdpu_get_len_from_type(p, type, &list_len);

    }

    if (list_len && list_len < cpy_len) {

    if (list_len < cpy_len) {

      cpy_len = list_len;

    }

    SDP_TRACE_WARNING(