system/bt
| Révision | d3c7b86f225c877099bb4416c58fc494f0d00faa (tree) |
|---|---|
| l'heure | 2018-10-20 01:33:11 |
| Auteur | Jakub Pawlowski <jpawlowski@goog...> |
| Commiter | android-build-team Robot |
Fix possible OOB read
Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit 6e6c347e798bf8195a9a02457edf871a97b1cfad)
stack/sdp/sdp_discovery.cc (diff)| @@ -277,6 +277,11 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
| 277 | 277 | uint16_t total, cur_handles, orig; |
| 278 | 278 | uint8_t cont_len; |
| 279 | 279 | |
| 280 | + if (p_reply + 8 > p_reply_end) { | |
| 281 | + android_errorWriteLog(0x534e4554, "74249842"); | |
| 282 | + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); | |
| 283 | + return; | |
| 284 | + } | |
| 280 | 285 | /* Skip transaction, and param len */ |
| 281 | 286 | p_reply += 4; |
| 282 | 287 | BE_STREAM_TO_UINT16(total, p_reply); |
| @@ -295,6 +300,12 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, | ||
| 295 | 300 | if (p_ccb->num_handles > sdp_cb.max_recs_per_search) |
| 296 | 301 | p_ccb->num_handles = sdp_cb.max_recs_per_search; |
| 297 | 302 | |
| 303 | + if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) { | |
| 304 | + android_errorWriteLog(0x534e4554, "74249842"); | |
| 305 | + sdp_disconnect(p_ccb, SDP_GENERIC_ERROR); | |
| 306 | + return; | |
| 307 | + } | |
| 308 | + | |
| 298 | 309 | for (xx = orig; xx < p_ccb->num_handles; xx++) |
| 299 | 310 | BE_STREAM_TO_UINT32(p_ccb->handles[xx], p_reply); |
| 300 | 311 |
Fork