SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 3c7bd5a8453110a7bd1351648c5a4001b99afa70)
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc
index fd9339f..574f5bc 100644
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -33,6 +33,7 @@
#include "hcidefs.h"
#include "hcimsgs.h"
#include "l2cdefs.h"
+#include "log/log.h"
#include "sdp_api.h"
#include "sdpint.h"
@@ -43,9 +44,12 @@
/******************************************************************************/
/* L O C A L F U N C T I O N P R O T O T Y P E S */
/******************************************************************************/
-static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply);
-static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply);
-static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply);
+static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end);
+static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end);
+static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end);
static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end);
static tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db,
const RawAddress& p_bda);
@@ -187,7 +191,7 @@
if (p_ccb->is_attr_search) {
p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR;
- process_service_search_attr_rsp(p_ccb, NULL);
+ process_service_search_attr_rsp(p_ccb, NULL, NULL);
} else {
/* First step is to get a list of the handles from the server. */
/* We are not searching for a specific attribute, so we will */
@@ -221,6 +225,7 @@
/* Got a reply!! Check what we got back */
p = (uint8_t*)(p_msg + 1) + p_msg->offset;
+ uint8_t* p_end = (uint8_t*)(p_msg + 1) + p_msg->len;
BE_STREAM_TO_UINT8(rsp_pdu, p);
@@ -229,21 +234,21 @@
switch (rsp_pdu) {
case SDP_PDU_SERVICE_SEARCH_RSP:
if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES) {
- process_service_search_rsp(p_ccb, p);
+ process_service_search_rsp(p_ccb, p, p_end);
invalid_pdu = false;
}
break;
case SDP_PDU_SERVICE_ATTR_RSP:
if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR) {
- process_service_attr_rsp(p_ccb, p);
+ process_service_attr_rsp(p_ccb, p, p_end);
invalid_pdu = false;
}
break;
case SDP_PDU_SERVICE_SEARCH_ATTR_RSP:
if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR) {
- process_service_search_attr_rsp(p_ccb, p);
+ process_service_search_attr_rsp(p_ccb, p, p_end);
invalid_pdu = false;
}
break;
@@ -266,7 +271,8 @@
* Returns void
*
******************************************************************************/
-static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) {
+static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end) {
uint16_t xx;
uint16_t total, cur_handles, orig;
uint8_t cont_len;
@@ -298,6 +304,11 @@
sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
return;
}
+ if (p_reply + cont_len > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "68161546");
+ sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE);
+ return;
+ }
/* stay in the same state */
sdp_snd_service_search_req(p_ccb, cont_len, p_reply);
} else {
@@ -305,7 +316,7 @@
p_ccb->disc_state = SDP_DISC_WAIT_ATTR;
/* Kick off the first attribute request */
- process_service_attr_rsp(p_ccb, NULL);
+ process_service_attr_rsp(p_ccb, NULL, NULL);
}
}
@@ -370,7 +381,8 @@
* Returns void
*
******************************************************************************/
-static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) {
+static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end) {
uint8_t *p_start, *p_param_len;
uint16_t param_len, list_byte_count;
bool cont_request_needed = false;
@@ -469,8 +481,12 @@
/* Was this a continuation request ? */
if (cont_request_needed) {
- memcpy(p, p_reply, *p_reply + 1);
- p += *p_reply + 1;
+ if ((p_reply + *p_reply + 1) <= p_reply_end) {
+ memcpy(p, p_reply, *p_reply + 1);
+ p += *p_reply + 1;
+ } else {
+ android_errorWriteLog(0x534e4554, "68161546");
+ }
} else
UINT8_TO_BE_STREAM(p, 0);
@@ -502,7 +518,8 @@
* Returns void
*
******************************************************************************/
-static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) {
+static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
+ uint8_t* p_reply_end) {
uint8_t *p, *p_start, *p_end, *p_param_len;
uint8_t type;
uint32_t seq_len;
@@ -599,8 +616,12 @@
/* No continuation for first request */
if (p_reply) {
- memcpy(p, p_reply, *p_reply + 1);
- p += *p_reply + 1;
+ if ((p_reply + *p_reply + 1) <= p_reply_end) {
+ memcpy(p, p_reply, *p_reply + 1);
+ p += *p_reply + 1;
+ } else {
+ android_errorWriteLog(0x534e4554, "68161546");
+ }
} else
UINT8_TO_BE_STREAM(p, 0);
