OSDN Git Service
(root)
/
android-x86
/
system-bt.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(parent:
5ce55bd
)
Fix out-of-bounds reading when copy SDP raw data
author
Yamei Du
<yamei.du@mediatek.com>
Sat, 27 May 2017 02:41:42 +0000
(10:41 +0800)
committer
Ting Zheng
<ting.zheng@mediatek.com>
Wed, 27 Sep 2017 21:30:55 +0000
(14:30 -0700)
When no attribute is returned in the SDP response, the cpy_len will be
MAX_DISC_RAW_DATA_BUF, this will cause out-of-bonds reading of source
buffer when copy the response raw data.
Change-Id: I923d8ee7e08f935e13cec38b75a04beca6174452
stack/sdp/sdp_discovery.cc
patch
|
blob
|
history
diff --git
a/stack/sdp/sdp_discovery.cc
b/stack/sdp/sdp_discovery.cc
index
9bc87a3
..
1a86796
100644
(file)
--- a/
stack/sdp/sdp_discovery.cc
+++ b/
stack/sdp/sdp_discovery.cc
@@
-349,7
+349,7
@@
static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
type = *p++;
p = sdpu_get_len_from_type(p, type, &list_len);
}
- if (list_len
&& list_len
< cpy_len) {
+ if (list_len < cpy_len) {
cpy_len = list_len;
}
SDP_TRACE_WARNING(
OSDN Git Service
