Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d5228d74 authored by Jakub Pawlowski's avatar Jakub Pawlowski
Browse files

Fix possible OOB read in process_service_search_rsp 

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
parent 35f419c7

system/stack/sdp/sdp_discovery.c

+11 −0
Original line number Diff line number Diff line
@@ -291,6 +291,11 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, 
    UINT16      total, cur_handles, orig;

    UINT8       cont_len;



    if (p_reply + 8 > p_reply_end) {

        android_errorWriteLog(0x534e4554, "74249842");

        sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);

        return;

    }

    /* Skip transaction, and param len */

    p_reply += 4;

    BE_STREAM_TO_UINT16 (total, p_reply);
@@ -311,6 +316,12 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, 
    if (p_ccb->num_handles > sdp_cb.max_recs_per_search)

        p_ccb->num_handles = sdp_cb.max_recs_per_search;



    if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {

        android_errorWriteLog(0x534e4554, "74249842");

        sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);

        return;

    }



    for (xx = orig; xx < p_ccb->num_handles; xx++)

        BE_STREAM_TO_UINT32 (p_ccb->handles[xx], p_reply);