diff options
author | Zhihai Xu <zhihaixu@google.com> | 2013-12-16 19:20:52 -0800 |
---|---|---|
committer | Zhihai Xu <zhihaixu@google.com> | 2014-01-06 14:07:57 -0800 |
commit | b6dffc12ed1dc044ee3b67026140d37f325d7306 (patch) | |
tree | 1c9a206cd66cac572cff4bd325642cf1b3e027c3 /stack/sdp | |
parent | 6567fa2d9d9d4f30e9ff5d1eb17794fae4771458 (diff) | |
download | bluedroid-b6dffc12ed1dc044ee3b67026140d37f325d7306.tar.gz |
Crash pairing keyboard/mouse on N5
The crash is caused by read the source string out of bound.
Should limit the length to copy less than source string length.
should use the
MIN(SDP_DISC_ATTR_LEN(p_curr_attr->attr_len_type), SDP_MAX_ATTR_LEN);
as the length to copy.
bug:12166360
Change-Id: I871d7dcaa8bf73aa27e9088417b35b677924bebd
Diffstat (limited to 'stack/sdp')
-rw-r--r-- | stack/sdp/sdp_api.c | 47 |
1 files changed, 32 insertions, 15 deletions
diff --git a/stack/sdp/sdp_api.c b/stack/sdp/sdp_api.c index a1f8c24..7af690b 100644 --- a/stack/sdp/sdp_api.c +++ b/stack/sdp/sdp_api.c @@ -989,6 +989,34 @@ UINT8 SDP_GetNumDiRecords( tSDP_DISCOVERY_DB *p_db ) /******************************************************************************* ** +** Function SDP_AttrStringCopy +** +** Description This function copy given attribute to specified buffer as a string +** +** Returns none +** +*******************************************************************************/ +static void SDP_AttrStringCopy(char *dst, tSDP_DISC_ATTR *p_attr, UINT16 dst_size) +{ + if ( dst == NULL ) return; + if ( p_attr ) + { + UINT16 len = SDP_DISC_ATTR_LEN(p_attr->attr_len_type); + if ( len > dst_size - 1 ) + { + len = dst_size - 1; + } + memcpy(dst, (char *)p_attr->attr_value.v.array, len); + dst[len] = '\0'; + } + else + { + dst[0] = '\0'; + } +} + +/******************************************************************************* +** ** Function SDP_GetDiRecord ** ** Description This function retrieves a remote device's DI record from @@ -1028,27 +1056,16 @@ UINT16 SDP_GetDiRecord( UINT8 get_record_index, tSDP_DI_GET_RECORD *p_device_inf /* ClientExecutableURL is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_CLIENT_EXE_URL ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.client_executable_url, sizeof(p_device_info->rec.client_executable_url), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.client_executable_url[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.client_executable_url, p_curr_attr, + SDP_MAX_ATTR_LEN ); /* Service Description is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_SERVICE_DESCRIPTION ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.service_description, sizeof(p_device_info->rec.service_description), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.service_description[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.service_description, p_curr_attr, SDP_MAX_ATTR_LEN ); /* DocumentationURL is optional */ p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_DOCUMENTATION_URL ); - if ( p_curr_attr ) - BCM_STRNCPY_S( p_device_info->rec.documentation_url, sizeof(p_device_info->rec.documentation_url), - (char *)p_curr_attr->attr_value.v.array, SDP_MAX_ATTR_LEN ); - else - p_device_info->rec.documentation_url[0] = '\0'; + SDP_AttrStringCopy( p_device_info->rec.documentation_url, p_curr_attr, SDP_MAX_ATTR_LEN ); p_curr_attr = SDP_FindAttributeInRec( p_curr_record, ATTR_ID_SPECIFICATION_ID ); if ( p_curr_attr ) |