SDP Server's client req handler currently only check that the parameter length field does not indicate the parameters to excite the packet length. Sending SDP PDUs with
- fixed sdp_server_client_req to also check for length filed
If an invalid SDP Service Search Request Packet has the continuation info length field set to SDP_CONTINUATION_LEN, but does not contain any continuation information, the SDP server should answer with SDP_INVALID_CONT_STATE.
- fixed process_service_search so the length field is correctly checked
- fixed possible access to 2 bytes of memory outside the packet boundry
Bug:
10904535
Change-Id: I41fd021327fbf4f810ee4319bc95fa0dba0b48df
BE_STREAM_TO_UINT16 (trans_num, p_req);
BE_STREAM_TO_UINT16 (param_len, p_req);
- if ((p_req + param_len) > p_req_end)
+ if ((p_req + param_len) != p_req_end)
{
sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_PDU_SIZE, SDP_TEXT_BAD_HEADER);
return;
/* Check if this is a continuation request */
if (*p_req)
{
- if (*p_req++ != SDP_CONTINUATION_LEN)
+ if (*p_req++ != SDP_CONTINUATION_LEN || (p_req >= p_req_end))
{
sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
SDP_TEXT_BAD_CONT_LEN);