Add negative length check in process_service_search_rsp Bug:225876506 Test: run supplied POC (updated to Android T) Tag: #security Ignore-AOSP-First: Security Change-Id: I0eb0f20eb03e6490ba6c20b3e79c97970c275d9e (cherry picked from commit 797daed7797c70862b5dc23f50c28981226d1552) (cherry picked from commit 96f108e8c381e744131dc2f021681b113d6e083b) Merged-In: I0eb0f20eb03e6490ba6c20b3e79c97970c275d9e

commit: 011aa301327117bbcb60800b43acb9e97aa43924 [log] [tgz]
author: Brian Delwiche <delwiche@google.com> Thu Aug 04 17:26:25 2022 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> Sun Sep 25 23:53:00 2022 +0000
tree: 80b8cb0dd03545b13c89890b2ed3c09d376b891a
parent: 1ab0b44aecf9d2560b417bc3026e0e633c6a58fd [diff]
diff --git a/system/stack/sdp/sdp_discovery.cc b/system/stack/sdp/sdp_discovery.cc
index bd8af8e..a6ad62b 100644
--- a/system/stack/sdp/sdp_discovery.cc
+++ b/system/stack/sdp/sdp_discovery.cc

@@ -280,7 +280,7 @@
 
   orig = p_ccb->num_handles;
   p_ccb->num_handles += cur_handles;
-  if (p_ccb->num_handles == 0) {
+  if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {
     SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches");
     sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);
     return;
commit	011aa301327117bbcb60800b43acb9e97aa43924	[log] [tgz]
author	Brian Delwiche <delwiche@google.com>	Thu Aug 04 17:26:25 2022 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	Sun Sep 25 23:53:00 2022 +0000
tree	80b8cb0dd03545b13c89890b2ed3c09d376b891a
parent	1ab0b44aecf9d2560b417bc3026e0e633c6a58fd [diff]