Fix unexpected behavior in SDP

author Hansong Zhang <hsz@google.com>

Wed, 10 Jan 2018 01:16:35 +0000 (17:16 -0800)

committer Hansong Zhang <hsz@google.com>

Wed, 10 Jan 2018 21:32:53 +0000 (13:32 -0800)
author Hansong Zhang <hsz@google.com>
Wed, 10 Jan 2018 01:16:35 +0000 (17:16 -0800)
committer Hansong Zhang <hsz@google.com>
Wed, 10 Jan 2018 21:32:53 +0000 (13:32 -0800)
diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc

index 24a168c..664db71 100644 (file)
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -23,6 +23,8 @@
   *
   ******************************************************************************/
  
+#include <cutils/log.h>
+
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
@@ -343,6 +345,12 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
      return;
    }
  
+  if (max_list_len < 4) {
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+    android_errorWriteLog(0x534e4554, "68776054");
+    return;
+  }
+
    /* Free and reallocate buffer */
    osi_free(p_ccb->rsp_list);
    p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);
@@ -553,6 +561,12 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
  
    memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ));
  
+  if (max_list_len < 4) {
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+    android_errorWriteLog(0x534e4554, "68817966");
+    return;
+  }
+
    /* Free and reallocate buffer */
    osi_free(p_ccb->rsp_list);
    p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);
author	Hansong Zhang <hsz@google.com>
	Wed, 10 Jan 2018 01:16:35 +0000 (17:16 -0800)
committer	Hansong Zhang <hsz@google.com>
	Wed, 10 Jan 2018 21:32:53 +0000 (13:32 -0800)