OSDN > 開発者 > hafixie93 > 作業部屋 > system-bt > コミット

system-bt
Fork

R/O
HTTP
SSH
HTTPS

コミット

コミットメタ情報

リビジョン	93f10607a7a6924e743f9ae758a773e218eb2204 (tree)
日時	2019-01-18 19:52:46
作者	Myles Watson <mylesgw@goog...>
コミッター	Vasyl Gello

ログメッセージ

SDP: Check p_end in save_attr_seq and add_attr

Bug: 115900043
Test: Sanity pairing and SDP PTS
Change-Id: Ib642f79ed22b65ede5ff786cb1e163d172480f11
(cherry picked from commit b8a5081b00fc9730092d8392786f3f4e659cb602)

変更サマリ

modified: stack/sdp/sdp_discovery.c (diff)

差分

--- a/stack/sdp/sdp_discovery.c

+++ b/stack/sdp/sdp_discovery.c

		@@ -54,7 +54,7 @@ static void process_service_search_attr_rsp (tCONN_CB* p_ccb, uint8_t*
54	54	uint8_t* p_reply_end);
55	55	static UINT8 save_attr_seq (tCONN_CB p_ccb, UINT8 p, UINT8 p_msg_end);
56	56	static tSDP_DISC_REC add_record (tSDP_DISCOVERY_DB p_db, BD_ADDR p_bda);
57		-static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
	57	+static UINT8 add_attr (UINT8 p, UINT8 p_end, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC *p_rec,
58	58	UINT16 attr_id, tSDP_DISC_ATTR *p_parent_attr, UINT8 nest_level);
59	59
60	60	/* Safety check in case we go crazy */

		@@ -831,7 +831,7 @@ static UINT8 save_attr_seq (tCONN_CB p_ccb, UINT8 p, UINT8 p_msg_end)
831	831	BE_STREAM_TO_UINT16 (attr_id, p);
832	832
833	833	/* Now, add the attribute value */
834		- p = add_attr (p, p_ccb->p_db, p_rec, attr_id, NULL, 0);
	834	+ p = add_attr (p, p_seq_end, p_ccb->p_db, p_rec, attr_id, NULL, 0);
835	835
836	836	if (!p)
837	837	{

		@@ -897,7 +897,7 @@ tSDP_DISC_REC add_record (tSDP_DISCOVERY_DB p_db, BD_ADDR p_bda)
897	897	** Returns pointer to next byte in data stream
898	898	**
899	899	*******************************************************************************/
900		-static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
	900	+static UINT8 add_attr (UINT8 p, UINT8 p_end, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC *p_rec,
901	901	UINT16 attr_id, tSDP_DISC_ATTR *p_parent_attr, UINT8 nest_level)
902	902	{
903	903	tSDP_DISC_ATTR *p_attr;

		@@ -906,7 +906,7 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
906	906	UINT16 attr_type;
907	907	UINT16 id;
908	908	UINT8 type;
909		- UINT8 *p_end;
	909	+ UINT8 *p_attr_end;
910	910	UINT8 is_additional_list = nest_level & SDP_ADDITIONAL_LIST_MASK;
911	911
912	912	nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);

		@@ -923,6 +923,14 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
923	923	else
924	924	total_len = sizeof (tSDP_DISC_ATTR);
925	925
	926	+ p_attr_end = p + attr_len;
	927	+ if (p_attr_end > p_end)
	928	+ {
	929	+ android_errorWriteLog(0x534e4554, "115900043");
	930	+ SDP_TRACE_WARNING("%s: SDP - Attribute length beyond p_end", __func__);
	931	+ return NULL;
	932	+ }
	933	+
926	934	/* Ensure it is a multiple of 4 */
927	935	total_len = (total_len + 3) & ~3;
928	936

		@@ -949,18 +957,18 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
949	957	/* Reserve the memory for the attribute now, as we need to add sub-attributes */
950	958	p_db->p_free_mem += sizeof (tSDP_DISC_ATTR);
951	959	p_db->mem_free -= sizeof (tSDP_DISC_ATTR);
952		- p_end = p + attr_len;
953	960	total_len = 0;
954	961
955	962	/* SDP_TRACE_DEBUG ("SDP - attr nest level:%d(list)", nest_level); */
956	963	if (nest_level >= MAX_NEST_LEVELS)
957	964	{
958	965	SDP_TRACE_ERROR ("SDP - attr nesting too deep");
959		- return (p_end);
	966	+ return p_attr_end;
960	967	}
961	968
962	969	/* Now, add the list entry */
963		- p = add_attr (p, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, p_attr, (UINT8)(nest_level + 1));
	970	+ p = add_attr (p, p_end, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST,
	971	+ p_attr, (UINT8)(nest_level + 1));
964	972
965	973	break;
966	974	}

		@@ -1033,7 +1041,7 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
1033	1041	break;
1034	1042	default:
1035	1043	SDP_TRACE_WARNING ("SDP - bad len in UUID attr: %d", attr_len);
1036		- return (p + attr_len);
	1044	+ return p_attr_end;
1037	1045	}
1038	1046	break;
1039	1047

		@@ -1042,23 +1050,22 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
1042	1050	/* Reserve the memory for the attribute now, as we need to add sub-attributes */
1043	1051	p_db->p_free_mem += sizeof (tSDP_DISC_ATTR);
1044	1052	p_db->mem_free -= sizeof (tSDP_DISC_ATTR);
1045		- p_end = p + attr_len;
1046	1053	total_len = 0;
1047	1054
1048	1055	/* SDP_TRACE_DEBUG ("SDP - attr nest level:%d", nest_level); */
1049	1056	if (nest_level >= MAX_NEST_LEVELS)
1050	1057	{
1051	1058	SDP_TRACE_ERROR ("SDP - attr nesting too deep");
1052		- return (p_end);
	1059	+ return p_attr_end;
1053	1060	}
1054	1061	if(is_additional_list != 0 \|\| attr_id == ATTR_ID_ADDITION_PROTO_DESC_LISTS)
1055	1062	nest_level \|= SDP_ADDITIONAL_LIST_MASK;
1056	1063	/* SDP_TRACE_DEBUG ("SDP - attr nest level:0x%x(finish)", nest_level); */
1057	1064
1058		- while (p < p_end)
	1065	+ while (p < p_attr_end)
1059	1066	{
1060	1067	/* Now, add the list entry */
1061		- p = add_attr (p, p_db, p_rec, 0, p_attr, (UINT8)(nest_level + 1));
	1068	+ p = add_attr (p, p_end, p_db, p_rec, 0, p_attr, (UINT8)(nest_level + 1));
1062	1069
1063	1070	if (!p)
1064	1071	return (NULL);

		@@ -1078,7 +1085,7 @@ static UINT8 add_attr (UINT8 p, tSDP_DISCOVERY_DB p_db, tSDP_DISC_REC p_rec,
1078	1085	break;
1079	1086	default:
1080	1087	SDP_TRACE_WARNING ("SDP - bad len in boolean attr: %d", attr_len);
1081		- return (p + attr_len);
	1088	+ return p_attr_end;
1082	1089	}
1083	1090	break;
1084	1091

system-bt Fork

コミット

タグ

よく使われているワード(クリックで追加)

コミットメタ情報

ログメッセージ

変更サマリ

差分

system-bt
Fork