From 7147c33543b88bea08727ce5f7f0ae3936355b3c Mon Sep 17 00:00:00 2001 From: Jakub Pawlowski Date: Wed, 10 Oct 2018 20:07:12 +0200 Subject: [PATCH] Fix possible OOB read in process_service_search_rsp Bug: 74249842 Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98 Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98 (cherry picked from commit b6fa6e4fffe439abc97904b15088af88f983ca0d) --- stack/sdp/sdp_discovery.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 9462a2758..42ad0f8cc 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -291,6 +291,11 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, UINT16 total, cur_handles, orig; UINT8 cont_len; + if (p_reply + 8 > p_reply_end) { + android_errorWriteLog(0x534e4554, "74249842"); + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); + return; + } /* Skip transaction, and param len */ p_reply += 4; BE_STREAM_TO_UINT16 (total, p_reply); @@ -311,6 +316,12 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply, if (p_ccb->num_handles > sdp_cb.max_recs_per_search) p_ccb->num_handles = sdp_cb.max_recs_per_search; + if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) { + android_errorWriteLog(0x534e4554, "74249842"); + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); + return; + } + for (xx = orig; xx < p_ccb->num_handles; xx++) BE_STREAM_TO_UINT32 (p_ccb->handles[xx], p_reply); -- 2.11.0