OSDN Git Service

(root) / android-x86 / system-bt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 81d0e32)
SDP: return error on offset bigger than atribute length
authorJakub Pawlowski <jpawlowski@google.com>
Fri, 22 Jun 2018 11:46:39 +0000 (04:46 -0700)
committerMax Spector <mspector@google.com>
Fri, 20 Jul 2018 20:53:34 +0000 (13:53 -0700)
Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
Merged-In: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 3565eaf72d810688bf91f75002da1f25039996df)

stack/sdp/sdp_server.c patch | blob | history

diff --git a/stack/sdp/sdp_server.c b/stack/sdp/sdp_server.c
index f3794d4..a1c0526 100644 (file)
--- a/stack/sdp/sdp_server.c
+++ b/stack/sdp/sdp_server.c
@@ -441,6 +441,14 @@ static void process_service_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
             /* if there is a partial attribute pending to be sent */
             if (p_ccb->cont_info.attr_offset)
             {
+                if (attr_len < p_ccb->cont_info.attr_offset)
+                {
+                    android_errorWriteLog(0x534e4554, "79217770");
+                    SDP_TRACE_ERROR("offset is bigger than attribute length");
+                    sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                            SDP_TEXT_BAD_CONT_LEN);
+                    return;
+                }
                 p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                          &p_ccb->cont_info.attr_offset);
 
@@ -693,6 +701,14 @@ static void process_service_search_attr_req (tCONN_CB *p_ccb, UINT16 trans_num,
                 /* if there is a partial attribute pending to be sent */
                 if (p_ccb->cont_info.attr_offset)
                 {
+                    if (attr_len < p_ccb->cont_info.attr_offset)
+                    {
+                        android_errorWriteLog(0x534e4554, "79217770");
+                        SDP_TRACE_ERROR("offset is bigger than attribute length");
+                        sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+                                                SDP_TEXT_BAD_CONT_LEN);
+                        return;
+                    }
                     p_rsp = sdpu_build_partial_attrib_entry (p_rsp, p_attr, rem_len,
                                                              &p_ccb->cont_info.attr_offset);
 
system/bt
About OSDN
Find Software
Develop Software
Help