From 3652ed82b3e0deea8dbc492214a75cab35221796 Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Fri, 22 Jun 2018 04:46:39 -0700 Subject: [PATCH] SDP: return error on offset bigger than atribute length Test: none Bug: 79217770 Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998 (cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c) --- stack/sdp/sdp_server.cc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc index d2bbd6c4d..510b8dc7a 100644 --- a/stack/sdp/sdp_server.cc +++ b/stack/sdp/sdp_server.cc @@ -421,6 +421,13 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, attr_len = sdpu_get_attrib_entry_len(p_attr); /* if there is a partial attribute pending to be sent */ if (p_ccb->cont_info.attr_offset) { + if (attr_len < p_ccb->cont_info.attr_offset) { + android_errorWriteLog(0x534e4554, "79217770"); + LOG(ERROR) << "offset is bigger than attribute length"; + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, + SDP_TEXT_BAD_CONT_LEN); + return; + } p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset); @@ -661,6 +668,13 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, attr_len = sdpu_get_attrib_entry_len(p_attr); /* if there is a partial attribute pending to be sent */ if (p_ccb->cont_info.attr_offset) { + if (attr_len < p_ccb->cont_info.attr_offset) { + android_errorWriteLog(0x534e4554, "79217770"); + LOG(ERROR) << "offset is bigger than attribute length"; + sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE, + SDP_TEXT_BAD_CONT_LEN); + return; + } p_rsp = sdpu_build_partial_attrib_entry( p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset); -- 2.11.0