SDP parameter checks too loose

SDP Server's client req handler currently only check that the parameter length field does not indicate the parameters to excite the packet length. Sending SDP PDUs with
- fixed sdp_server_client_req to also check for length filed

If an invalid SDP Service Search Request Packet has the continuation info length field set to SDP_CONTINUATION_LEN, but does not contain any continuation information, the SDP server should answer with SDP_INVALID_CONT_STATE.
- fixed process_service_search so the length field is correctly checked
- fixed possible access to 2 bytes of memory outside the packet boundry

Bug: 10904535
Change-Id: I41fd021327fbf4f810ee4319bc95fa0dba0b48df

diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index 5f6923a..de128a6 100644 (file)
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -130,7 +130,7 @@ void sdp_server_handle_client_req (tCONN_CB *p_ccb, BT_HDR *p_msg)
     BE_STREAM_TO_UINT16 (trans_num, p_req);
     BE_STREAM_TO_UINT16 (param_len, p_req);
 
-    if ((p_req + param_len) > p_req_end)
+    if ((p_req + param_len) != p_req_end)
     {
         sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_PDU_SIZE, SDP_TEXT_BAD_HEADER);
         return;
@@ -220,7 +220,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
     /* Check if this is a continuation request */
     if (*p_req)
     {
-        if (*p_req++ != SDP_CONTINUATION_LEN)
+        if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end))
         {
             sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
                                      SDP_TEXT_BAD_CONT_LEN);