Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f70279f9 authored by Jakub Pawlowski's avatar Jakub Pawlowski Committed by android-build-merger
Browse files

Add PDU size checks in process_service_search_attr_rsp am: 38b7670a 

am: 538873f1

Change-Id: Iefba89565fe0c2088498ce0faff09c1a39f8afc3
parents 1137924c 538873f1

system/stack/sdp/sdp_discovery.cc

+14 −0
Original line number Diff line number Diff line
@@ -531,6 +531,13 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, 
#endif

  /* If p_reply is NULL, we were called for the initial read */

  if (p_reply) {

    if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >

        p_reply_end) {

      android_errorWriteLog(0x534e4554, "79884292");

      sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);

      return;

    }



#if (SDP_DEBUG_RAW == TRUE)

    SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x", p_reply[0], p_reply[1],

                      p_reply[2], p_reply[3]);
@@ -554,6 +561,13 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, 
    SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d", p_ccb->list_len,

                      lists_byte_count);

#endif



    if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {

      android_errorWriteLog(0x534e4554, "79884292");

      sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);

      return;

    }



    if (p_ccb->rsp_list == NULL)

      p_ccb->rsp_list = (uint8_t*)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);

    memcpy(&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);