Fix possible OOB read

author Jakub Pawlowski <jpawlowski@google.com>

Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)

committer Rohit Yengisetty <rngy@google.com>

Tue, 16 Oct 2018 23:21:12 +0000 (16:21 -0700)
author Jakub Pawlowski <jpawlowski@google.com>
Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)
committer Rohit Yengisetty <rngy@google.com>
Tue, 16 Oct 2018 23:21:12 +0000 (16:21 -0700)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc

index b0b4dc7..974c02e 100644 (file)
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -277,6 +277,11 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
    uint16_t total, cur_handles, orig;
    uint8_t cont_len;
  
+  if (p_reply + 8 > p_reply_end) {
+    android_errorWriteLog(0x534e4554, "74249842");
+    sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+    return;
+  }
    /* Skip transaction, and param len */
    p_reply += 4;
    BE_STREAM_TO_UINT16(total, p_reply);
@@ -295,6 +300,12 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
    if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
      p_ccb->num_handles = sdp_cb.max_recs_per_search;
  
+  if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
+    android_errorWriteLog(0x534e4554, "74249842");
+    sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+    return;
+  }
+
    for (xx = orig; xx < p_ccb->num_handles; xx++)
      BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply);
author	Jakub Pawlowski <jpawlowski@google.com>
	Wed, 10 Oct 2018 17:35:37 +0000 (19:35 +0200)
committer	Rohit Yengisetty <rngy@google.com>
	Tue, 16 Oct 2018 23:21:12 +0000 (16:21 -0700)