From 5d6b1b1316afecebd939f77e3d01ab0a400e68a9 Mon Sep 17 00:00:00 2001 From: Hansong Zhang Date: Tue, 9 Jan 2018 17:16:35 -0800 Subject: [PATCH] Fix unexpected behavior in SDP Bug: 68776054 Bug: 68817966 Test: Bluetooth SDP still works Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9 --- stack/sdp/sdp_server.cc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc index 24a168c85..664db712d 100644 --- a/stack/sdp/sdp_server.cc +++ b/stack/sdp/sdp_server.cc @@ -23,6 +23,8 @@ * ******************************************************************************/ +#include + #include #include #include @@ -343,6 +345,12 @@ static void process_service_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, return; } + if (max_list_len < 4) { + sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL); + android_errorWriteLog(0x534e4554, "68776054"); + return; + } + /* Free and reallocate buffer */ osi_free(p_ccb->rsp_list); p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len); @@ -553,6 +561,12 @@ static void process_service_search_attr_req(tCONN_CB* p_ccb, uint16_t trans_num, memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ)); + if (max_list_len < 4) { + sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL); + android_errorWriteLog(0x534e4554, "68817966"); + return; + } + /* Free and reallocate buffer */ osi_free(p_ccb->rsp_list); p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len); -- 2.11.0