Fix copy length calculation in sdp_copy_raw_data
Test: compilation
Bug: 110216176
Change-Id: Ic4a19c9f0fe8cd592bc6c25dcec7b1da49ff7459
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index 4b132f7..e06d20a 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -352,8 +352,15 @@
p = &p_ccb->rsp_list[0];
if (offset) {
+ cpy_len -= 1;
type = *p++;
+ uint8_t* old_p = p;
p = sdpu_get_len_from_type(p, type, &list_len);
+ if ((int)cpy_len < (p - old_p)) {
+ SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
+ return;
+ }
+ cpy_len -= (p - old_p);
}
if (list_len < cpy_len) {
cpy_len = list_len;