SDP: return error on offset bigger than atribute length
Test: none
Bug: 79217770
Change-Id: I8b594882dd07644b1a747c53d6166db466b7e998
(cherry picked from commit 0a74ffa44cbe48f674387cc951e6011c28ca003c)
diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index 121c248a..dcf8e78 100644
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -421,6 +421,13 @@
attr_len = sdpu_get_attrib_entry_len(p_attr);
/* if there is a partial attribute pending to be sent */
if (p_ccb->cont_info.attr_offset) {
+ if (attr_len < p_ccb->cont_info.attr_offset) {
+ android_errorWriteLog(0x534e4554, "79217770");
+ LOG(ERROR) << "offset is bigger than attribute length";
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+ SDP_TEXT_BAD_CONT_LEN);
+ return;
+ }
p_rsp = sdpu_build_partial_attrib_entry(p_rsp, p_attr, rem_len,
&p_ccb->cont_info.attr_offset);
@@ -660,6 +667,13 @@
attr_len = sdpu_get_attrib_entry_len(p_attr);
/* if there is a partial attribute pending to be sent */
if (p_ccb->cont_info.attr_offset) {
+ if (attr_len < p_ccb->cont_info.attr_offset) {
+ android_errorWriteLog(0x534e4554, "79217770");
+ LOG(ERROR) << "offset is bigger than attribute length";
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_INVALID_CONT_STATE,
+ SDP_TEXT_BAD_CONT_LEN);
+ return;
+ }
p_rsp = sdpu_build_partial_attrib_entry(
p_rsp, p_attr, rem_len, &p_ccb->cont_info.attr_offset);