Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d3dc486b authored by Hansong Zhang's avatar Hansong Zhang Committed by android-build-team Robot
Browse files

Fix a security issue in sdp_server.cc 

Bug: 169342531
Test: POC
Change-Id: I0e8cdb9a00184f62d11fb06bc30f07b2a35bc49e
(cherry picked from commit db169d7e)
parent 756a6f6c

system/stack/sdp/sdp_server.cc

+4 −0
Original line number Diff line number Diff line
@@ -118,9 +118,11 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) { 


  if (p_req + sizeof(pdu_id) + sizeof(trans_num) > p_req_end) {

    android_errorWriteLog(0x534e4554, "69384124");

    android_errorWriteLog(0x534e4554, "169342531");

    trans_num = 0;

    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,

                            SDP_TEXT_BAD_HEADER);

    return;

  }



  /* The first byte in the message is the pdu type */
@@ -131,8 +133,10 @@ void sdp_server_handle_client_req(tCONN_CB* p_ccb, BT_HDR* p_msg) { 


  if (p_req + sizeof(param_len) > p_req_end) {

    android_errorWriteLog(0x534e4554, "69384124");

    android_errorWriteLog(0x534e4554, "169342531");

    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_REQ_SYNTAX,

                            SDP_TEXT_BAD_HEADER);

    return;

  }



  BE_STREAM_TO_UINT16(param_len, p_req);