system/bt
| 修訂 | 08a5ae9e2c1b4f40206380cb120e34b791d90242 (tree) |
|---|---|
| 時間 | 2016-09-21 18:09:22 |
| 作者 | Venkata Jagadeesh Garaga <vgaraga@code...> |
| Commiter | Venkata Jagadeesh Garaga |
SDP: Crash in sdp due to invalid length
Crashed in memcpy as there is no boundary check
for copy length and length exceeds the allocated
buffer size.
Align copy length with source buffer offset
so that copy length will be in boundary of the
allocated buffer size
Change-Id: I4a2e429484378d23c996caffb6495407793548d2
CRs-Fixed: 1069198
stack/sdp/sdp_discovery.c (diff)| @@ -347,7 +347,7 @@ static void process_service_search_rsp (tCONN_CB *p_ccb, UINT8 *p_reply) | ||
| 347 | 347 | #if (SDP_RAW_DATA_INCLUDED == TRUE) |
| 348 | 348 | static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) |
| 349 | 349 | { |
| 350 | - unsigned int cpy_len; | |
| 350 | + unsigned int cpy_len, rem_len; | |
| 351 | 351 | UINT32 list_len; |
| 352 | 352 | UINT8 *p; |
| 353 | 353 | UINT8 type; |
| @@ -378,6 +378,12 @@ static void sdp_copy_raw_data (tCONN_CB *p_ccb, BOOLEAN offset) | ||
| 378 | 378 | { |
| 379 | 379 | cpy_len = list_len; |
| 380 | 380 | } |
| 381 | + rem_len = SDP_MAX_LIST_BYTE_COUNT - (unsigned int) (p - &p_ccb->rsp_list[0]); | |
| 382 | + if (cpy_len > rem_len) | |
| 383 | + { | |
| 384 | + SDP_TRACE_WARNING("rem_len :%d less than cpy_len:%d", rem_len, cpy_len); | |
| 385 | + cpy_len = rem_len; | |
| 386 | + } | |
| 381 | 387 | #if (SDP_DEBUG_RAW == TRUE) |
| 382 | 388 | SDP_TRACE_WARNING("list_len :%d cpy_len:%d raw_size:%d raw_used:%d", |
| 383 | 389 | list_len, cpy_len, p_ccb->p_db->raw_size, p_ccb->p_db->raw_used); |
Fork