diff options
| author | Myles Watson <mylesgw@google.com> | 2018-01-10 14:16:15 -0800 |
|---|---|---|
| committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-18 22:43:29 +0000 |
| commit | 349391266869554d8e6a83fa890dd099c4cee7cb (patch) | |
| tree | 397d23802aeaf63a4d6ad6d3026261098998286e | |
| parent | 1a7856018ab1608a3d681caab4eecd2185ff51f2 (diff) | |
| download | bt-349391266869554d8e6a83fa890dd099c4cee7cb.tar.gz | |
SDP: Pass the bounds to process_service_*_rsp
Test: build
Bug: 68161546
Change-Id: Icf53d4d05f99b5e0a2b3f4d3735b6fbfd62adaa3
(cherry picked from commit 3c7bd5a8453110a7bd1351648c5a4001b99afa70)
| -rw-r--r-- | stack/sdp/sdp_discovery.cc | 51 |
1 files changed, 36 insertions, 15 deletions
diff --git a/stack/sdp/sdp_discovery.cc b/stack/sdp/sdp_discovery.cc index fd9339f08..574f5bc56 100644 --- a/stack/sdp/sdp_discovery.cc +++ b/stack/sdp/sdp_discovery.cc @@ -33,6 +33,7 @@ #include "hcidefs.h" #include "hcimsgs.h" #include "l2cdefs.h" +#include "log/log.h" #include "sdp_api.h" #include "sdpint.h" @@ -43,9 +44,12 @@ /******************************************************************************/ /* L O C A L F U N C T I O N P R O T O T Y P E S */ /******************************************************************************/ -static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply); -static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply); -static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply); +static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); +static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); +static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end); static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end); static tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& p_bda); @@ -187,7 +191,7 @@ void sdp_disc_connected(tCONN_CB* p_ccb) { if (p_ccb->is_attr_search) { p_ccb->disc_state = SDP_DISC_WAIT_SEARCH_ATTR; - process_service_search_attr_rsp(p_ccb, NULL); + process_service_search_attr_rsp(p_ccb, NULL, NULL); } else { /* First step is to get a list of the handles from the server. */ /* We are not searching for a specific attribute, so we will */ @@ -221,6 +225,7 @@ void sdp_disc_server_rsp(tCONN_CB* p_ccb, BT_HDR* p_msg) { /* Got a reply!! Check what we got back */ p = (uint8_t*)(p_msg + 1) + p_msg->offset; + uint8_t* p_end = (uint8_t*)(p_msg + 1) + p_msg->len; BE_STREAM_TO_UINT8(rsp_pdu, p); @@ -229,21 +234,21 @@ void sdp_disc_server_rsp(tCONN_CB* p_ccb, BT_HDR* p_msg) { switch (rsp_pdu) { case SDP_PDU_SERVICE_SEARCH_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_HANDLES) { - process_service_search_rsp(p_ccb, p); + process_service_search_rsp(p_ccb, p, p_end); invalid_pdu = false; } break; case SDP_PDU_SERVICE_ATTR_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_ATTR) { - process_service_attr_rsp(p_ccb, p); + process_service_attr_rsp(p_ccb, p, p_end); invalid_pdu = false; } break; case SDP_PDU_SERVICE_SEARCH_ATTR_RSP: if (p_ccb->disc_state == SDP_DISC_WAIT_SEARCH_ATTR) { - process_service_search_attr_rsp(p_ccb, p); + process_service_search_attr_rsp(p_ccb, p, p_end); invalid_pdu = false; } break; @@ -266,7 +271,8 @@ void sdp_disc_server_rsp(tCONN_CB* p_ccb, BT_HDR* p_msg) { * Returns void * ******************************************************************************/ -static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { +static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end) { uint16_t xx; uint16_t total, cur_handles, orig; uint8_t cont_len; @@ -298,6 +304,11 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); return; } + if (p_reply + cont_len > p_reply_end) { + android_errorWriteLog(0x534e4554, "68161546"); + sdp_disconnect(p_ccb, SDP_INVALID_CONT_STATE); + return; + } /* stay in the same state */ sdp_snd_service_search_req(p_ccb, cont_len, p_reply); } else { @@ -305,7 +316,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { p_ccb->disc_state = SDP_DISC_WAIT_ATTR; /* Kick off the first attribute request */ - process_service_attr_rsp(p_ccb, NULL); + process_service_attr_rsp(p_ccb, NULL, NULL); } } @@ -370,7 +381,8 @@ static void sdp_copy_raw_data(tCONN_CB* p_ccb, bool offset) { * Returns void * ******************************************************************************/ -static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { +static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end) { uint8_t *p_start, *p_param_len; uint16_t param_len, list_byte_count; bool cont_request_needed = false; @@ -469,8 +481,12 @@ static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { /* Was this a continuation request ? */ if (cont_request_needed) { - memcpy(p, p_reply, *p_reply + 1); - p += *p_reply + 1; + if ((p_reply + *p_reply + 1) <= p_reply_end) { + memcpy(p, p_reply, *p_reply + 1); + p += *p_reply + 1; + } else { + android_errorWriteLog(0x534e4554, "68161546"); + } } else UINT8_TO_BE_STREAM(p, 0); @@ -502,7 +518,8 @@ static void process_service_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { * Returns void * ******************************************************************************/ -static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { +static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply, + uint8_t* p_reply_end) { uint8_t *p, *p_start, *p_end, *p_param_len; uint8_t type; uint32_t seq_len; @@ -599,8 +616,12 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply) { /* No continuation for first request */ if (p_reply) { - memcpy(p, p_reply, *p_reply + 1); - p += *p_reply + 1; + if ((p_reply + *p_reply + 1) <= p_reply_end) { + memcpy(p, p_reply, *p_reply + 1); + p += *p_reply + 1; + } else { + android_errorWriteLog(0x534e4554, "68161546"); + } } else UINT8_TO_BE_STREAM(p, 0); |