From: Yamei Du <yamei.du@mediatek.com>
Date: Sat, 27 May 2017 02:41:42 +0000 (+0800)
Subject: Fix out-of-bounds reading when copy SDP raw data
X-Git-Tag: android-x86-9.0-r1~186^2~4^2~2^2~83^2
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=04da67a727;p=android-x86%2Fsystem-bt.git

Fix out-of-bounds reading when copy SDP raw data

When no attribute is returned in the SDP response, the cpy_len will be
MAX_DISC_RAW_DATA_BUF, this will cause out-of-bonds reading of source
buffer when copy the response raw data.

Change-Id: I923d8ee7e08f935e13cec38b75a04beca6174452
---

diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 9bc87a3ce..1a8679642 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -349,7 +349,7 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
       type = *p++;
       p = sdpu_get_len_from_type(p, type, &list_len);
     }
-    if (list_len && list_len < cpy_len) {
+    if (list_len < cpy_len) {
       cpy_len = list_len;
     }
     SDP_TRACE_WARNING(