OSDN -- Open-Source-Software-Entwicklung und Downloads
Übersetzungsstatus von Deutsch translation status for de
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

Revision7147c33543b88bea08727ce5f7f0ae3936355b3c (tree)
Zeit2018-10-17 08:08:50
AutorJakub Pawlowski <jpawlowski@goog...>
CommiterRohit Yengisetty

Log Message

Fix possible OOB read in process_service_search_rsp

Bug: 74249842
Change-Id: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
Merged-In: I0dbe43f0da1f5a8f14bcb69659752de4bd70ca98
(cherry picked from commit b6fa6e4fffe439abc97904b15088af88f983ca0d)

Ändern Zusammenfassung

Diff

--- a/stack/sdp/sdp_discovery.c
+++ b/stack/sdp/sdp_discovery.c
@@ -291,6 +291,11 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
291291 UINT16 total, cur_handles, orig;
292292 UINT8 cont_len;
293293
294+ if (p_reply + 8 > p_reply_end) {
295+ android_errorWriteLog(0x534e4554, "74249842");
296+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
297+ return;
298+ }
294299 /* Skip transaction, and param len */
295300 p_reply += 4;
296301 BE_STREAM_TO_UINT16 (total, p_reply);
@@ -311,6 +316,12 @@ static void process_service_search_rsp(tCONN_CB *p_ccb, UINT8 *p_reply,
311316 if (p_ccb->num_handles > sdp_cb.max_recs_per_search)
312317 p_ccb->num_handles = sdp_cb.max_recs_per_search;
313318
319+ if (p_reply + ((p_ccb->num_handles - orig) * 4) + 1 > p_reply_end) {
320+ android_errorWriteLog(0x534e4554, "74249842");
321+ sdp_disconnect(p_ccb, SDP_GENERIC_ERROR);
322+ return;
323+ }
324+
314325 for (xx = orig; xx < p_ccb->num_handles; xx++)
315326 BE_STREAM_TO_UINT32 (p_ccb->handles[xx], p_reply);
316327