From b6dffc12ed1dc044ee3b67026140d37f325d7306 Mon Sep 17 00:00:00 2001 From: Zhihai Xu Date: Mon, 16 Dec 2013 19:20:52 -0800 Subject: [PATCH] Crash pairing keyboard/mouse on N5 The crash is caused by read the source string out of bound. Should limit the length to copy less than source string length. should use the MIN(SDP_DISC_ATTR_LEN(p_curr_attr->attr_len_type), SDP_MAX_ATTR_LEN); as the length to copy. bug:12166360 Change-Id: I871d7dcaa8bf73aa27e9088417b35b677924bebd --- stack/sdp/sdp_api.c | 47 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 32 insertions(+), 15 deletions(-) diff --git a/stack/sdp/sdp_api.c b/stack/sdp/sdp_api.c index a1f8c24fd..7af690b79 100644 --- a/stack/sdp/sdp_api.c +++ b/stack/sdp/sdp_api.c @@ -989,6 +989,34 @@ UINT8 SDP_GetNumDiRecords( tSDP_DISCOVERY_DB *p_db ) /******************************************************************************* ** +** Function SDP_AttrStringCopy +** +** Description This function copy given attribute to specified buffer as a string +** +** Returns none +** +*******************************************************************************/ +static void SDP_AttrStringCopy(char *dst, tSDP_DISC_ATTR *p_attr, UINT16 dst_size) +{ + if ( dst == NULL ) return; + if ( p_attr ) + { + UINT16 len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type); + if ( len > dst_size - 1 ) + { + len = dst_size - 1; + } + memcpy(dst, (char *)p_attr->attr_value.v.array, len); + dst[len] = '\0'; + } + else + { + dst[0] = '\0'; + } +} + +/******************************************************************************* +** ** Function SDP_GetDiRecord ** ** Description This function retrieves a remote device's DI record from @@ -1028,27 +1056,16 @@ UINT16 SDP_GetDiRecord( UINT8 get_record_index, tSDP_DI_GET_RECORD *p_device_inf /* ClientExecutableURL is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_CLIENT_EXE_URL ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.client_executable_url, sizeof(p_device_info->rec.client_executable_url), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.client_executable_url[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.client_executable_url, p_curr_attr, + SDP_MAX_ATTR_LEN ); /* Service Description is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_SERVICE_DESCRIPTION ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.service_description, sizeof(p_device_info->rec.service_description), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.service_description[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.service_description, p_curr_attr, SDP_MAX_ATTR_LEN ); /* DocumentationURL is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_DOCUMENTATION_URL ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.documentation_url, sizeof(p_device_info->rec.documentation_url), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.documentation_url[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.documentation_url, p_curr_attr, SDP_MAX_ATTR_LEN ); p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_SPECIFICATION_ID ); if ( p_curr_attr ) -- 2.11.0