DO NOT MERGE Fix unexpected behavior in SDP

Bug: 68776054
Bug: 68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
Merged-In: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9

diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index 23d72a3..aa2d85e 100644 (file)
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -23,6 +23,8 @@
  *
  ******************************************************************************/
 
+#include <cutils/log.h>
+
 #include <stdlib.h>
 #include <string.h>
 #include <stdio.h>
@@ -363,6 +365,12 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
         return;
     }
 
+    if (max_list_len < 4) {
+        sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+        android_errorWriteLog(0x534e4554, "68776054");
+        return;
+    }
+
     /* Check if this is a continuation request */
     if (*p_req)
     {
@@ -624,6 +632,12 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
 
     memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ)) ;
 
+    if (max_list_len < 4) {
+        sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+        android_errorWriteLog(0x534e4554, "68817966");
+        return;
+    }
+
     /* Check if this is a continuation request */
     if (*p_req)
     {