Fix copy length calculation in sdp_copy_raw_data

author Jakub Pawlowski <jpawlowski@google.com>

Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)

committer Ryan Longair <rlongair@google.com>

Wed, 15 Aug 2018 20:24:59 +0000 (13:24 -0700)
author Jakub Pawlowski <jpawlowski@google.com>
Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)
committer Ryan Longair <rlongair@google.com>
Wed, 15 Aug 2018 20:24:59 +0000 (13:24 -0700)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc

index bf6f43b..b0b4dc7 100644 (file)
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -354,8 +354,15 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
      p = &p_ccb->rsp_list[0];
  
      if (offset) {
+      cpy_len -= 1;
        type = *p++;
+      uint8_t* old_p = p;
        p = sdpu_get_len_from_type(p, type, &list_len);
+      if ((int)cpy_len < (p - old_p)) {
+        SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+        return;
+      }
+      cpy_len -= (p - old_p);
      }
      if (list_len < cpy_len) {
        cpy_len = list_len;
author	Jakub Pawlowski <jpawlowski@google.com>
	Mon, 16 Jul 2018 13:40:35 +0000 (06:40 -0700)
committer	Ryan Longair <rlongair@google.com>
	Wed, 15 Aug 2018 20:24:59 +0000 (13:24 -0700)