Add PDU size checks in process_service_search_attr_rsp
Bug: 79884292
Change-Id: Icc02a6188f806f766aa8676804d74995afa08d25
Merged-In: Icc02a6188f806f766aa8676804d74995afa08d25
(cherry picked from commit 3181bdee7d207c9894dd1dfca02fad71cb2430e8)
diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c
index b01d834..f0728ec 100644
--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -574,6 +574,13 @@
/* If p_reply is NULL, we were called for the initial read */
if (p_reply)
{
+ if (p_reply + 4 /* transaction ID and length */ + sizeof(lists_byte_count) >
+ p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
#if (SDP_DEBUG_RAW == TRUE)
SDP_TRACE_WARNING("ID & len: 0x%02x-%02x-%02x-%02x",
p_reply[0], p_reply[1], p_reply[2], p_reply[3]);
@@ -597,6 +604,13 @@
SDP_TRACE_WARNING("list_len: %d, list_byte_count: %d",
p_ccb->list_len, lists_byte_count);
#endif
+
+ if (p_reply + lists_byte_count + 1 /* continuation */ > p_reply_end) {
+ android_errorWriteLog(0x534e4554, "79884292");
+ sdp_disconnect(p_ccb, SDP_INVALID_PDU_SIZE);
+ return;
+ }
+
if (p_ccb->rsp_list == NULL)
p_ccb->rsp_list = (UINT8 *)osi_malloc(SDP_MAX_LIST_BYTE_COUNT);
memcpy (&p_ccb->rsp_list[p_ccb->list_len], p_reply, lists_byte_count);