#if (SDP_RAW_DATA_INCLUDED == TRUE)
static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
{
- unsigned int cpy_len;
+ unsigned int cpy_len, rem_len;
UINT32 list_len;
UINT8 *p;
UINT8 type;
if(offset)
{
+ cpy_len -= 1;
type = *p++;
+ uint8_t* old_p = p;
p = sdpu_get_len_from_type (p, type, &list_len);
+ if ((int)cpy_len < (p - old_p)) {
+ SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+ return;
+ }
+ cpy_len -= (p - old_p);
}
- if(list_len && list_len < cpy_len )
+ if(list_len < cpy_len )
{
cpy_len = list_len;
}
+ rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
+ if (cpy_len > rem_len) {
+ SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
+ cpy_len = rem_len;
+ }
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("list_len :%d cpy_len:%d raw_size:%d raw_used:%d",
list_len, cpy_len, p_ccb->p_db->raw_size, p_ccb->p_db->raw_used);
/* If p_reply is NULL, we were called for the initial read */
if (p_reply)
{
+ if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+ p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
p_ccb->list_len, lists_byte_count);
#endif
+
+ if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
if (p_ccb->rsp_list == NULL)
p_ccb->rsp_list = (UINT8 *)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
memcpy (&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);