X-Git-Url: http://git.osdn.net/view?a=blobdiff_plain;f=stack%2Fsdp%2Fsdp_discovery.c;h=6402b797d6cc17f2ffd93087033b5b519c5be162;hb=1a0571a4aca9d597a8f79665aa220decf0d45ce1;hp=ac4316034bb4884342e5651895214a420d75af18;hpb=463584ae61f4714a788391060efe06049871e2e5;p=android-x86%2Fsystem-bt.git

diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index ac4316034..6402b797d 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -353,7 +353,7 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
 #if (SDP_RAW_DATA_INCLUDED == TRUE)
 static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
 {
-    unsigned int    cpy_len;
+    unsigned int    cpy_len, rem_len;
     UINT32          list_len;
     UINT8           *p;
     UINT8           type;
@@ -377,13 +377,25 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset)
 
         if(offset)
         {
+            cpy_len -= 1;
             type = *p++;
+            uint8_t* old_p = p;
             p = sdpu_get_len_from_type (p, type, &list_len);
+            if ((int)cpy_len < (p - old_p)) {
+                SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+                return;
+            }
+            cpy_len -= (p - old_p);
         }
-        if(list_len && list_len < cpy_len )
+        if(list_len < cpy_len )
         {
             cpy_len = list_len;
         }
+        rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int)(p - &p_ccb->rsp_list[0]);
+        if (cpy_len > rem_len) {
+            SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len);
+            cpy_len = rem_len;
+        }
 #if (SDP_DEBUG_RAW == TRUE)
         SDP_TRACE_WARNING("list_len :%d cpy_len:%d raw_size:%d raw_used:%d",
             list_len, cpy_len, p_ccb->p_db->raw_size, p_ccb->p_db->raw_used);
@@ -568,6 +580,13 @@ static void process_service_search_attr_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
     /* If p_reply is NULL, we were called for the initial read */
     if (p_reply)
     {
+        if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+            p_reply_end) {
+            android_errorWriteLog(0x534e4554, "79884292");
+            sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+            return;
+        }
+
 #if (SDP_DEBUG_RAW == TRUE)
         SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
             p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
@@ -591,6 +610,13 @@ static void process_service_search_attr_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
         SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
             p_ccb->list_len, lists_byte_count);
 #endif
+
+        if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+            android_errorWriteLog(0x534e4554, "79884292");
+            sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+            return;
+        }
+
         if (p_ccb->rsp_list == NULL)
             p_ccb->rsp_list = (UINT8 *)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
         memcpy (&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);