From: Hansong Zhang <hsz@google.com>
Date: Wed, 10 Jan 2018 01:16:35 +0000 (-0800)
Subject: Fix unexpected behavior in SDP
X-Git-Tag: android-x86-8.1-r1~9^2~2^2~6
X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=f0edf6571d2d58e66ee0b100ebe49c585d31489f;p=android-x86%2Fsystem-bt.git

Fix unexpected behavior in SDP

Bug: 68776054
Bug: 68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit 5d6b1b1316afecebd939f77e3d01ab0a400e68a9)
---

diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index da85cda28..b18f42959 100644
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -23,6 +23,8 @@
  *
  ******************************************************************************/
 
+#include <cutils/log.h>
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -341,6 +343,12 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
     return;
   }
 
+  if (max_list_len < 4) {
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+    android_errorWriteLog(0x534e4554, "68776054");
+    return;
+  }
+
   /* Free and reallocate buffer */
   osi_free(p_ccb->rsp_list);
   p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);
@@ -551,6 +559,12 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num,
 
   memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ));
 
+  if (max_list_len < 4) {
+    sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+    android_errorWriteLog(0x534e4554, "68817966");
+    return;
+  }
+
   /* Free and reallocate buffer */
   osi_free(p_ccb->rsp_list);
   p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);