Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f33f03bc authored by Android Build Merger (Role)'s avatar Android Build Merger (Role)
Browse files

[automerger] Add PDU size checks in process_service_search_attr_rsp am:... 

[automerger] Add PDU size checks in process_service_search_attr_rsp am: 63967b14 am: 192f25fa am: 817adcde am: a4d566b1 am: 7a9df273 am: cd7b9257 am: dff3c3ac am: c39fa078

Change-Id: I55b0755496a55a6f1c5a84227104f6478f05d0b4
parents 8a2d67ba c39fa078

system/stack/sdp/sdp_discovery.c

+14 −0
Original line number Diff line number Diff line
@@ -569,6 +569,13 @@ static void process_service_search_attr_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, 
    /* If p_reply is NULL, we were called for the initial read */

    if (p_reply)

    {

        if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >

            p_reply_end) {

            android_errorWriteLog(0x534e4554, "79884292");

            sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);

            return;

        }



#if (SDP_DEBUG_RAW == TRUE)

        SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",

            p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
@@ -592,6 +599,13 @@ static void process_service_search_attr_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, 
        SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",

            p_ccb->list_len, lists_byte_count);

#endif



        if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {

            android_errorWriteLog(0x534e4554, "79884292");

            sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);

            return;

        }



        if (p_ccb->rsp_list == NULL)

            p_ccb->rsp_list = (UINT8 *)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);

        memcpy (&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);