From: Jakub Pawlowski <jpawlowski@google.com>
Date: Mon, 16 Jul 2018 13:40:35 +0000 (-0700)
Subject: Fix copy length calculation in sdp_copy_raw_data
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=23aa15743397b345f3d948289fe90efa2a2e2b3e;hp=e6d78b9c372dccc135a78fa6ce0a69af59a9250b;p=android-x86%2Fsystem-bt.git

Fix copy length calculation in sdp_copy_raw_data

Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
---

diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 4b132f7a1..e06d20ac7 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -352,8 +352,15 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) {
     p = &p_ccb->rsp_list[0];
 
     if (offset) {
+      cpy_len -= 1;
       type = *p++;
+      uint8_t* old_p = p;
       p = sdpu_get_len_from_type(p, type, &list_len);
+      if ((int)cpy_len < (p - old_p)) {
+        SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+        return;
+      }
+      cpy_len -= (p - old_p);
     }
     if (list_len < cpy_len) {
       cpy_len = list_len;