Fix possible OOB read in process_service_search_rsp
Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index 6402b79..92d65b6 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -291,6 +291,11 @@
UINT16 total, cur_handles, orig;
UINT8 cont_len;
+ if (p_reply + 8 > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "74249842");
+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+ return;
+ }
/* Skip transaction, and param len */
p_reply += 4;
BE_STREAM_TO_UINT16 (total, p_reply);
@@ -311,6 +316,12 @@
if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
p_ccb->num_handles = sdp_cb.max_recs_per_search;
+ if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "74249842");
+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
+ return;
+ }
+
for (xx = orig; xx < p_ccb->num_handles; xx++)
BE_STREAM_TO_UINT32 (p_ccb->handles[xx], p_reply);
