From c0532307d35ac86f5427243809f2c98b4fd8cacd Mon Sep 17 00:00:00 2001
From: Srinu Jella <sjella@codeaurora.org>
Date: Mon, 22 Dec 2014 19:46:28 +0530
Subject: [PATCH] Allocated requested buffer size in SDP attribute request

Use case: Allocated required GKI buf in sdp attr req

1. Enter UUID - 0100 for L2CAP or 110C for AVRCP Target so DUT sends
   continuation frame for TSPX_sdp_service_search_pattern on PTS
2. Start Test case TP/SSA/BV-06 in PTSv6.0

Failure: Some PTS test cases request less attributes in first packet
and request more attributes in continuation packets.
As stack allocates the buf in start packet and using the same
buf in continuation packets, it's causing buffer corruption and crash

Root cause: Buffer allocated for start packet is not sufficient
in continuation packets

Fix: Fixing this issue by dynamically allocating buffer in continuation
packets of service_search_attr_req and service_attr_req

Bug: 21896912
Change-Id: I8daeffb7d6486c7b916ad2f0505ad422d91a613c
---
 stack/sdp/sdp_server.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index e11e602fa..5dd6b92c3 100644
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -366,6 +366,17 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
     /* Check if this is a continuation request */
     if (*p_req)
     {
+        /* Free and reallocate buffer */
+        if (p_ccb->rsp_list)
+            GKI_freebuf(p_ccb->rsp_list);
+
+        p_ccb->rsp_list = (UINT8 *)GKI_getbuf(max_list_len);
+        if (p_ccb->rsp_list == NULL)
+        {
+            SDP_TRACE_ERROR("%s No scratch buf for attr rsp", __func__);
+            return;
+        }
+
         if (*p_req++ != SDP_CONTINUATION_LEN)
         {
             sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN);
@@ -616,6 +627,19 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
     /* Check if this is a continuation request */
     if (*p_req)
     {
+        /* Free and reallocate buffer */
+        if (p_ccb->rsp_list)
+        {
+            GKI_freebuf (p_ccb->rsp_list);
+        }
+
+        p_ccb->rsp_list = (UINT8 *)GKI_getbuf (max_list_len);
+        if (p_ccb->rsp_list == NULL)
+        {
+            SDP_TRACE_ERROR ("SDP - no scratch buf for search rsp");
+            return;
+        }
+
         if (*p_req++ != SDP_CONTINUATION_LEN)
         {
             sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE, SDP_TEXT_BAD_CONT_LEN);
-- 
2.11.0