Fix unexpected behavior in SDP
Bug: 68776054
Bug: 68817966
Test: Bluetooth SDP still works
Change-Id: I4eef22679a313b88d7e8ec463b29dbb592c6b5b9
(cherry picked from commit 5d6b1b1316afecebd939f77e3d01ab0a400e68a9)
diff --git a/stack/sdp/sdp_server.cc b/stack/sdp/sdp_server.cc
index da85cda..b18f429 100644
--- a/stack/sdp/sdp_server.cc
+++ b/stack/sdp/sdp_server.cc
@@ -23,6 +23,8 @@
*
******************************************************************************/
+#include <cutils/log.h>
+
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -341,6 +343,12 @@
return;
}
+ if (max_list_len < 4) {
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+ android_errorWriteLog(0x534e4554, "68776054");
+ return;
+ }
+
/* Free and reallocate buffer */
osi_free(p_ccb->rsp_list);
p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);
@@ -551,6 +559,12 @@
memcpy(&attr_seq_sav, &attr_seq, sizeof(tSDP_ATTR_SEQ));
+ if (max_list_len < 4) {
+ sdpu_build_n_send_error(p_ccb, trans_num, SDP_ILLEGAL_PARAMETER, NULL);
+ android_errorWriteLog(0x534e4554, "68817966");
+ return;
+ }
+
/* Free and reallocate buffer */
osi_free(p_ccb->rsp_list);
p_ccb->rsp_list = (uint8_t*)osi_malloc(max_list_len);