SDP: return error on offset bigger than atribute length

Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998

diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index 1b0583b..94c56d9 100644 (file)
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -423,6 +423,13 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
       attr_len = sdpu_get_attrib_entry_len(p_attr);
       /* if there is a partial attribute pending to be sent */
       if (p_ccb->cont_info.attr_offset) {
+        if (attr_len < p_ccb->cont_info.attr_offset) {
+          android_errorWriteLog(0x534e4554, "79217770");
+          LOG(ERROR) << "offset is bigger than attribute length";
+          sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                  SDP_TEXT_BAD_CONT_LEN);
+          return;
+        }
         p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len,
                                                 &p_ccb->cont_info.attr_offset);
 
@@ -663,6 +670,13 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
         attr_len = sdpu_get_attrib_entry_len(p_attr);
         /* if there is a partial attribute pending to be sent */
         if (p_ccb->cont_info.attr_offset) {
+          if (attr_len < p_ccb->cont_info.attr_offset) {
+            android_errorWriteLog(0x534e4554, "79217770");
+            LOG(ERROR) << "offset is bigger than attribute length";
+            sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                    SDP_TEXT_BAD_CONT_LEN);
+            return;
+          }
           p_rsp = sdpu_build_partial_attrib_entry(
               p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset);