OSDN -- 오픈 소스 소프트웨어 개발 및 다운로드
Translation Status of 한국말 translation status for ko
  • R/O
  • HTTP
  • SSH
  • HTTPS
Fork

Commit

Tags
No Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

Revisionae9562805e14540bdd41c271c5248e751d8c4b9c (tree)
Time2019-01-08 17:16:56
AuthorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

Android 8.1.0 Release 60 (OPM8.190105.002)
-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCXDOg0wAKCRDorT+BmrEO
eBEtAJ9uhwrY0xJFAZ2QWU76HyOMadiNHwCfUiJFEbswUtw2hlULES1+FVJ619o=
=wYVz
-----END PGP SIGNATURE-----

Merge tag 'android-8.1.0_r60' into oreo-x86

Android 8.1.0 Release 60 (OPM8.190105.002)

Change Summary

Incremental Difference

--- a/bta/ag/bta_ag_act.cc
+++ b/bta/ag/bta_ag_act.cc
@@ -58,7 +58,7 @@ const tBTA_SERVICE_MASK bta_ag_svc_mask[BTA_AG_NUM_IDX] = {
5858 BTA_HSP_SERVICE_MASK, BTA_HFP_SERVICE_MASK};
5959
6060 typedef void (*tBTA_AG_ATCMD_CBACK)(tBTA_AG_SCB* p_scb, uint16_t cmd,
61- uint8_t arg_type, char* p_arg,
61+ uint8_t arg_type, char* p_arg, char* p_end,
6262 int16_t int_arg);
6363
6464 const tBTA_AG_ATCMD_CBACK bta_ag_at_cback_tbl[BTA_AG_NUM_IDX] = {
--- a/bta/ag/bta_ag_at.cc
+++ b/bta/ag/bta_ag_at.cc
@@ -26,6 +26,7 @@
2626
2727 #include "bt_common.h"
2828 #include "bta_ag_at.h"
29+#include "log/log.h"
2930 #include "utl.h"
3031
3132 /*****************************************************************************
@@ -76,7 +77,7 @@ void bta_ag_at_reinit(tBTA_AG_AT_CB* p_cb) {
7677 * Returns void
7778 *
7879 *****************************************************************************/
79-void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) {
80+void bta_ag_process_at(tBTA_AG_AT_CB* p_cb, char* p_end) {
8081 uint16_t idx;
8182 uint8_t arg_type;
8283 char* p_arg;
@@ -92,6 +93,11 @@ void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) {
9293 if (p_cb->p_at_tbl[idx].p_cmd[0] != 0) {
9394 /* start of argument is p + strlen matching command */
9495 p_arg = p_cb->p_cmd_buf + strlen(p_cb->p_at_tbl[idx].p_cmd);
96+ if (p_arg > p_end) {
97+ (*p_cb->p_err_cback)(p_cb->p_user, false, NULL);
98+ android_errorWriteLog(0x534e4554, "112860487");
99+ return;
100+ }
95101
96102 /* if no argument */
97103 if (p_arg[0] == 0) {
@@ -132,11 +138,11 @@ void bta_ag_process_at(tBTA_AG_AT_CB* p_cb) {
132138 (*p_cb->p_err_cback)(p_cb->p_user, false, NULL);
133139 } else {
134140 (*p_cb->p_cmd_cback)(p_cb->p_user, p_cb->p_at_tbl[idx].command_id,
135- arg_type, p_arg, int_arg);
141+ arg_type, p_arg, p_end, int_arg);
136142 }
137143 } else {
138144 (*p_cb->p_cmd_cback)(p_cb->p_user, p_cb->p_at_tbl[idx].command_id,
139- arg_type, p_arg, int_arg);
145+ arg_type, p_arg, p_end, int_arg);
140146 }
141147 }
142148 /* else error */
@@ -187,8 +193,9 @@ void bta_ag_at_parse(tBTA_AG_AT_CB* p_cb, char* p_buf, uint16_t len) {
187193 (p_cb->p_cmd_buf[0] == 'A' || p_cb->p_cmd_buf[0] == 'a') &&
188194 (p_cb->p_cmd_buf[1] == 'T' || p_cb->p_cmd_buf[1] == 't')) {
189195 p_save = p_cb->p_cmd_buf;
196+ char* p_end = p_cb->p_cmd_buf + p_cb->cmd_pos;
190197 p_cb->p_cmd_buf += 2;
191- bta_ag_process_at(p_cb);
198+ bta_ag_process_at(p_cb, p_end);
192199 p_cb->p_cmd_buf = p_save;
193200 }
194201
--- a/bta/ag/bta_ag_at.h
+++ b/bta/ag/bta_ag_at.h
@@ -55,7 +55,7 @@ typedef struct {
5555
5656 /* callback function executed when command is parsed */
5757 typedef void(tBTA_AG_AT_CMD_CBACK)(void* p_user, uint16_t command_id,
58- uint8_t arg_type, char* p_arg,
58+ uint8_t arg_type, char* p_arg, char* p_end,
5959 int16_t int_arg);
6060
6161 /* callback function executed to send "ERROR" result code */
--- a/bta/ag/bta_ag_cmd.cc
+++ b/bta/ag/bta_ag_cmd.cc
@@ -30,6 +30,7 @@
3030 #include "bta_ag_int.h"
3131 #include "bta_api.h"
3232 #include "bta_sys.h"
33+#include "log/log.h"
3334 #include "osi/include/log.h"
3435 #include "osi/include/osi.h"
3536 #include "port_api.h"
@@ -378,23 +379,23 @@ static void bta_ag_send_ind(tBTA_AG_SCB* p_scb, uint16_t id, uint16_t value,
378379 * Returns true if parsed ok, false otherwise.
379380 *
380381 ******************************************************************************/
381-static bool bta_ag_parse_cmer(char* p_s, bool* p_enabled) {
382+static bool bta_ag_parse_cmer(char* p_s, char* p_end, bool* p_enabled) {
382383 int16_t n[4] = {-1, -1, -1, -1};
383384 int i;
384385 char* p;
385386
386- for (i = 0; i < 4; i++) {
387+ for (i = 0; i < 4; i++, p_s = p + 1) {
387388 /* skip to comma delimiter */
388- for (p = p_s; *p != ',' && *p != 0; p++)
389+ for (p = p_s; p < p_end && *p != ',' && *p != 0; p++)
389390 ;
390391
391392 /* get integer value */
393+ if (p > p_end) {
394+ android_errorWriteLog(0x534e4554, "112860487");
395+ return false;
396+ }
392397 *p = 0;
393398 n[i] = utl_str2int(p_s);
394- p_s = p + 1;
395- if (p_s == 0) {
396- break;
397- }
398399 }
399400
400401 /* process values */
@@ -452,7 +453,8 @@ static uint8_t bta_ag_parse_chld(UNUSED_ATTR tBTA_AG_SCB* p_scb, char* p_s) {
452453 * Returns Returns bitmap of supported codecs.
453454 *
454455 ******************************************************************************/
455-static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB* p_scb, char* p_s) {
456+static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB* p_scb, char* p_s,
457+ char* p_end) {
456458 tBTA_AG_PEER_CODEC retval = BTA_AG_CODEC_NONE;
457459 uint16_t uuid_codec;
458460 bool cont = false; /* Continue processing */
@@ -460,10 +462,14 @@ static tBTA_AG_PEER_CODEC bta_ag_parse_bac(tBTA_AG_SCB* p_scb, char* p_s) {
460462
461463 while (p_s) {
462464 /* skip to comma delimiter */
463- for (p = p_s; *p != ',' && *p != 0; p++)
465+ for (p = p_s; p < p_end && *p != ',' && *p != 0; p++)
464466 ;
465467
466468 /* get integre value */
469+ if (p > p_end) {
470+ android_errorWriteLog(0x534e4554, "112860487");
471+ break;
472+ }
467473 if (*p != 0) {
468474 *p = 0;
469475 cont = true;
@@ -597,7 +603,8 @@ void bta_ag_send_call_inds(tBTA_AG_SCB* p_scb, tBTA_AG_RES result) {
597603 *
598604 ******************************************************************************/
599605 void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t command_id,
600- uint8_t arg_type, char* p_arg, int16_t int_arg) {
606+ uint8_t arg_type, char* p_arg, char* p_end,
607+ int16_t int_arg) {
601608 APPL_TRACE_DEBUG("AT cmd:%d arg_type:%d arg:%d arg:%s", command_id, arg_type,
602609 int_arg, p_arg);
603610
@@ -607,6 +614,13 @@ void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t command_id,
607614 val.hdr.handle = bta_ag_scb_to_idx(p_scb);
608615 val.hdr.app_id = p_scb->app_id;
609616 val.num = (uint16_t)int_arg;
617+
618+ if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) {
619+ APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__);
620+ bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG);
621+ android_errorWriteLog(0x534e4554, "112860487");
622+ return;
623+ }
610624 strlcpy(val.str, p_arg, sizeof(val.str));
611625
612626 /* call callback with event */
@@ -836,7 +850,7 @@ static bool bta_ag_parse_biev_response(tBTA_AG_SCB* p_scb, tBTA_AG_VAL* val) {
836850 *
837851 ******************************************************************************/
838852 void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type,
839- char* p_arg, int16_t int_arg) {
853+ char* p_arg, char* p_end, int16_t int_arg) {
840854 tBTA_AG_VAL val;
841855 tBTA_AG_SCB* ag_scb;
842856 uint32_t i, ind_id;
@@ -856,6 +870,13 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type,
856870 val.hdr.status = BTA_AG_SUCCESS;
857871 val.num = int_arg;
858872 val.bd_addr = p_scb->peer_addr;
873+
874+ if ((p_end - p_arg + 1) >= (long)sizeof(val.str)) {
875+ APPL_TRACE_ERROR("%s: p_arg is too long, send error and return", __func__);
876+ bta_ag_send_error(p_scb, BTA_AG_ERR_TEXT_TOO_LONG);
877+ android_errorWriteLog(0x534e4554, "112860487");
878+ return;
879+ }
859880 strlcpy(val.str, p_arg, sizeof(val.str));
860881
861882 /**
@@ -1034,7 +1055,7 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type,
10341055
10351056 case BTA_AG_LOCAL_EVT_CMER:
10361057 /* if parsed ok store setting, send OK */
1037- if (bta_ag_parse_cmer(p_arg, &p_scb->cmer_enabled)) {
1058+ if (bta_ag_parse_cmer(p_arg, p_end, &p_scb->cmer_enabled)) {
10381059 bta_ag_send_ok(p_scb);
10391060
10401061 /* if service level conn. not already open and our features and
@@ -1195,7 +1216,7 @@ void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd, uint8_t arg_type,
11951216 /* store available codecs from the peer */
11961217 if ((p_scb->peer_features & BTA_AG_PEER_FEAT_CODEC) &&
11971218 (p_scb->features & BTA_AG_FEAT_CODEC)) {
1198- p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg);
1219+ p_scb->peer_codecs = bta_ag_parse_bac(p_scb, p_arg, p_end);
11991220 p_scb->codec_updated = true;
12001221
12011222 if (p_scb->peer_codecs & BTA_AG_CODEC_MSBC) {
--- a/bta/ag/bta_ag_int.h
+++ b/bta/ag/bta_ag_int.h
@@ -361,9 +361,11 @@ extern void bta_ag_sco_conn_rsp(tBTA_AG_SCB* p_scb,
361361
362362 /* AT command functions */
363363 extern void bta_ag_at_hsp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd,
364- uint8_t arg_type, char* p_arg, int16_t int_arg);
364+ uint8_t arg_type, char* p_arg, char* p_end,
365+ int16_t int_arg);
365366 extern void bta_ag_at_hfp_cback(tBTA_AG_SCB* p_scb, uint16_t cmd,
366- uint8_t arg_type, char* p_arg, int16_t int_arg);
367+ uint8_t arg_type, char* p_arg, char* p_end,
368+ int16_t int_arg);
367369 extern void bta_ag_at_err_cback(tBTA_AG_SCB* p_scb, bool unknown, char* p_arg);
368370 extern bool bta_ag_inband_enabled(tBTA_AG_SCB* p_scb);
369371 extern void bta_ag_send_call_inds(tBTA_AG_SCB* p_scb, tBTA_AG_RES result);
--- a/bta/hh/bta_hh_act.cc
+++ b/bta/hh/bta_hh_act.cc
@@ -26,6 +26,7 @@
2626
2727 #if (BTA_HH_INCLUDED == TRUE)
2828
29+#include <log/log.h>
2930 #include <string.h>
3031
3132 #include "bta_hh_co.h"
@@ -701,6 +702,12 @@ void bta_hh_ctrl_dat_act(tBTA_HH_DEV_CB* p_cb, tBTA_HH_DATA* p_data) {
701702 APPL_TRACE_DEBUG("Ctrl DATA received w4: event[%s]",
702703 bta_hh_get_w4_event(p_cb->w4_evt));
703704 #endif
705+ if (pdata->len == 0) {
706+ android_errorWriteLog(0x534e4554, "116108738");
707+ p_cb->w4_evt = 0;
708+ osi_free_and_reset((void**)&pdata);
709+ return;
710+ }
704711 hs_data.status = BTA_HH_OK;
705712 hs_data.handle = p_cb->hid_handle;
706713
--- a/stack/avdt/avdt_scb_act.cc
+++ b/stack/avdt/avdt_scb_act.cc
@@ -23,6 +23,7 @@
2323 *
2424 ******************************************************************************/
2525
26+#include <cutils/log.h>
2627 #include <string.h>
2728 #include "a2dp_codec_api.h"
2829 #include "avdt_api.h"
@@ -231,10 +232,14 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
231232 uint16_t offset;
232233 uint16_t ex_len;
233234 uint8_t pad_len = 0;
235+ uint16_t len = p_data->p_pkt->len;
234236
235237 p = p_start = (uint8_t*)(p_data->p_pkt + 1) + p_data->p_pkt->offset;
236238
237239 /* parse media packet header */
240+ offset = 12;
241+ // AVDT_MSG_PRS_OCTET1(1) + AVDT_MSG_PRS_M_PT(1) + UINT16(2) + UINT32(4) + 4
242+ if (offset > len) goto length_error;
238243 AVDT_MSG_PRS_OCTET1(p, o_v, o_p, o_x, o_cc);
239244 AVDT_MSG_PRS_M_PT(p, m_pt, marker);
240245 BE_STREAM_TO_UINT16(seq, p);
@@ -242,18 +247,19 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
242247 p += 4;
243248
244249 /* skip over any csrc's in packet */
250+ offset += o_cc * 4;
245251 p += o_cc * 4;
246252
247253 /* check for and skip over extension header */
248254 if (o_x) {
255+ offset += 4;
256+ if (offset > len) goto length_error;
249257 p += 2;
250258 BE_STREAM_TO_UINT16(ex_len, p);
259+ offset += ex_len * 4;
251260 p += ex_len * 4;
252261 }
253262
254- /* save our new offset */
255- offset = (uint16_t)(p - p_start);
256-
257263 /* adjust length for any padding at end of packet */
258264 if (o_p) {
259265 /* padding length in last byte of packet */
@@ -281,6 +287,12 @@ void avdt_scb_hdl_pkt_no_frag(tAVDT_SCB* p_scb, tAVDT_SCB_EVT* p_data) {
281287 osi_free_and_reset((void**)&p_data->p_pkt);
282288 }
283289 }
290+ return;
291+length_error:
292+ android_errorWriteLog(0x534e4554, "111450156");
293+ AVDT_TRACE_WARNING("%s: hdl packet length %d too short: must be at least %d",
294+ __func__, len, offset);
295+ osi_free_and_reset((void**)&p_data->p_pkt);
284296 }
285297
286298 #if (AVDT_REPORTING == TRUE)
@@ -298,12 +310,21 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
298310 uint8_t* p_start = p;
299311 uint32_t ssrc;
300312 uint8_t o_v, o_p, o_cc;
313+ uint16_t min_len = 0;
301314 AVDT_REPORT_TYPE pt;
302315 tAVDT_REPORT_DATA report;
303316
304317 AVDT_TRACE_DEBUG("%s", __func__);
305318 if (p_scb->cs.p_report_cback) {
306319 /* parse report packet header */
320+ min_len += 8;
321+ if (min_len > len) {
322+ android_errorWriteLog(0x534e4554, "111450156");
323+ AVDT_TRACE_WARNING(
324+ "%s: hdl packet length %d too short: must be at least %d", __func__,
325+ len, min_len);
326+ goto avdt_scb_hdl_report_exit;
327+ }
307328 AVDT_MSG_PRS_RPT_OCTET1(p, o_v, o_p, o_cc);
308329 pt = *p++;
309330 p += 2;
@@ -311,6 +332,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
311332
312333 switch (pt) {
313334 case AVDT_RTCP_PT_SR: /* the packet type - SR (Sender Report) */
335+ min_len += 20;
336+ if (min_len > len) {
337+ android_errorWriteLog(0x534e4554, "111450156");
338+ AVDT_TRACE_WARNING(
339+ "%s: hdl packet length %d too short: must be at least %d",
340+ __func__, len, min_len);
341+ goto avdt_scb_hdl_report_exit;
342+ }
314343 BE_STREAM_TO_UINT32(report.sr.ntp_sec, p);
315344 BE_STREAM_TO_UINT32(report.sr.ntp_frac, p);
316345 BE_STREAM_TO_UINT32(report.sr.rtp_time, p);
@@ -319,6 +348,14 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
319348 break;
320349
321350 case AVDT_RTCP_PT_RR: /* the packet type - RR (Receiver Report) */
351+ min_len += 20;
352+ if (min_len > len) {
353+ android_errorWriteLog(0x534e4554, "111450156");
354+ AVDT_TRACE_WARNING(
355+ "%s: hdl packet length %d too short: must be at least %d",
356+ __func__, len, min_len);
357+ goto avdt_scb_hdl_report_exit;
358+ }
322359 report.rr.frag_lost = *p;
323360 BE_STREAM_TO_UINT32(report.rr.packet_lost, p);
324361 report.rr.packet_lost &= 0xFFFFFF;
@@ -330,9 +367,25 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
330367
331368 case AVDT_RTCP_PT_SDES: /* the packet type - SDES (Source Description) */
332369 uint8_t sdes_type;
370+ min_len += 1;
371+ if (min_len > len) {
372+ android_errorWriteLog(0x534e4554, "111450156");
373+ AVDT_TRACE_WARNING(
374+ "%s: hdl packet length %d too short: must be at least %d",
375+ __func__, len, min_len);
376+ goto avdt_scb_hdl_report_exit;
377+ }
333378 BE_STREAM_TO_UINT8(sdes_type, p);
334379 if (sdes_type == AVDT_RTCP_SDES_CNAME) {
335380 uint8_t name_length;
381+ min_len += 1;
382+ if (min_len > len) {
383+ android_errorWriteLog(0x534e4554, "111450156");
384+ AVDT_TRACE_WARNING(
385+ "%s: hdl packet length %d too short: must be at least %d",
386+ __func__, len, min_len);
387+ goto avdt_scb_hdl_report_exit;
388+ }
336389 BE_STREAM_TO_UINT8(name_length, p);
337390 if (name_length > len - 2 || name_length > AVDT_MAX_CNAME_SIZE) {
338391 result = AVDT_BAD_PARAMS;
@@ -340,6 +393,13 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
340393 BE_STREAM_TO_ARRAY(p, &(report.cname[0]), name_length);
341394 }
342395 } else {
396+ if (min_len + 1 > len) {
397+ android_errorWriteLog(0x534e4554, "111450156");
398+ AVDT_TRACE_WARNING(
399+ "%s: hdl packet length %d too short: must be at least %d",
400+ __func__, len, min_len + 2);
401+ goto avdt_scb_hdl_report_exit;
402+ }
343403 AVDT_TRACE_WARNING(" - SDES SSRC=0x%08x sc=%d %d len=%d %s", ssrc,
344404 o_cc, *p, *(p + 1), p + 2);
345405 result = AVDT_BUSY;
@@ -354,6 +414,7 @@ uint8_t* avdt_scb_hdl_report(tAVDT_SCB* p_scb, uint8_t* p, uint16_t len) {
354414 if (result == AVDT_SUCCESS)
355415 (*p_scb->cs.p_report_cback)(avdt_scb_to_hdl(p_scb), pt, &report);
356416 }
417+avdt_scb_hdl_report_exit:
357418 p_start += len;
358419 return p_start;
359420 }
--- a/stack/mcap/mca_cact.cc
+++ b/stack/mcap/mca_cact.cc
@@ -449,12 +449,23 @@ void mca_ccb_hdl_rsp(tMCA_CCB* p_ccb, tMCA_CCB_EVT* p_data) {
449449 tMCA_RESULT result = MCA_BAD_HANDLE;
450450 tMCA_TC_TBL* p_tbl;
451451
452- if (p_ccb->p_tx_req) {
452+ if (p_pkt->len < sizeof(evt_data.hdr.op_code) +
453+ sizeof(evt_data.rsp.rsp_code) +
454+ sizeof(evt_data.hdr.mdl_id)) {
455+ android_errorWriteLog(0x534e4554, "116319076");
456+ MCA_TRACE_ERROR("%s: Response packet is too short", __func__);
457+ } else if (p_ccb->p_tx_req) {
453458 /* verify that the received response matches the sent request */
454459 p = (uint8_t*)(p_pkt + 1) + p_pkt->offset;
455460 evt_data.hdr.op_code = *p++;
456- if ((evt_data.hdr.op_code == 0) ||
457- ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {
461+ if ((evt_data.hdr.op_code == MCA_OP_MDL_CREATE_RSP) &&
462+ (p_pkt->len <
463+ sizeof(evt_data.hdr.op_code) + sizeof(evt_data.rsp.rsp_code) +
464+ sizeof(evt_data.hdr.mdl_id) + sizeof(evt_data.create_cfm.cfg))) {
465+ android_errorWriteLog(0x534e4554, "116319076");
466+ MCA_TRACE_ERROR("%s: MDL Create Response packet is too short", __func__);
467+ } else if ((evt_data.hdr.op_code == 0) ||
468+ ((p_ccb->p_tx_req->op_code + 1) == evt_data.hdr.op_code)) {
458469 evt_data.rsp.rsp_code = *p++;
459470 mca_stop_timer(p_ccb);
460471 BE_STREAM_TO_UINT16(evt_data.hdr.mdl_id, p);
--- a/stack/sdp/sdp_discovery.cc
+++ b/stack/sdp/sdp_discovery.cc
@@ -53,7 +53,7 @@ static void process_service_search_attr_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
5353 static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end);
5454 static tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db,
5555 const RawAddress& p_bda);
56-static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
56+static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
5757 tSDP_DISC_REC* p_rec, uint16_t attr_id,
5858 tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level);
5959
@@ -767,7 +767,7 @@ static uint8_t* save_attr_seq(tCONN_CB* p_ccb, uint8_t* p, uint8_t* p_msg_end) {
767767 BE_STREAM_TO_UINT16(attr_id, p);
768768
769769 /* Now, add the attribute value */
770- p = add_attr(p, p_ccb->p_db, p_rec, attr_id, NULL, 0);
770+ p = add_attr(p, p_seq_end, p_ccb->p_db, p_rec, attr_id, NULL, 0);
771771
772772 if (!p) {
773773 SDP_TRACE_WARNING("SDP - DB full add_attr");
@@ -827,7 +827,7 @@ tSDP_DISC_REC* add_record(tSDP_DISCOVERY_DB* p_db, const RawAddress& p_bda) {
827827 * Returns pointer to next byte in data stream
828828 *
829829 ******************************************************************************/
830-static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
830+static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
831831 tSDP_DISC_REC* p_rec, uint16_t attr_id,
832832 tSDP_DISC_ATTR* p_parent_attr, uint8_t nest_level) {
833833 tSDP_DISC_ATTR* p_attr;
@@ -836,7 +836,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
836836 uint16_t attr_type;
837837 uint16_t id;
838838 uint8_t type;
839- uint8_t* p_end;
839+ uint8_t* p_attr_end;
840840 uint8_t is_additional_list = nest_level & SDP_ADDITIONAL_LIST_MASK;
841841
842842 nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);
@@ -853,6 +853,13 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
853853 else
854854 total_len = sizeof(tSDP_DISC_ATTR);
855855
856+ p_attr_end = p + attr_len;
857+ if (p_attr_end > p_end) {
858+ android_errorWriteLog(0x534e4554, "115900043");
859+ SDP_TRACE_WARNING("%s: SDP - Attribute length beyond p_end", __func__);
860+ return NULL;
861+ }
862+
856863 /* Ensure it is a multiple of 4 */
857864 total_len = (total_len + 3) & ~3;
858865
@@ -876,18 +883,17 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
876883 * sub-attributes */
877884 p_db->p_free_mem += sizeof(tSDP_DISC_ATTR);
878885 p_db->mem_free -= sizeof(tSDP_DISC_ATTR);
879- p_end = p + attr_len;
880886 total_len = 0;
881887
882888 /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d(list)", nest_level); */
883889 if (nest_level >= MAX_NEST_LEVELS) {
884890 SDP_TRACE_ERROR("SDP - attr nesting too deep");
885- return (p_end);
891+ return p_attr_end;
886892 }
887893
888894 /* Now, add the list entry */
889- p = add_attr(p, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST, p_attr,
890- (uint8_t)(nest_level + 1));
895+ p = add_attr(p, p_end, p_db, p_rec, ATTR_ID_PROTOCOL_DESC_LIST,
896+ p_attr, (uint8_t)(nest_level + 1));
891897
892898 break;
893899 }
@@ -946,7 +952,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
946952 break;
947953 default:
948954 SDP_TRACE_WARNING("SDP - bad len in UUID attr: %d", attr_len);
949- return (p + attr_len);
955+ return p_attr_end;
950956 }
951957 break;
952958
@@ -956,22 +962,22 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
956962 * sub-attributes */
957963 p_db->p_free_mem += sizeof(tSDP_DISC_ATTR);
958964 p_db->mem_free -= sizeof(tSDP_DISC_ATTR);
959- p_end = p + attr_len;
960965 total_len = 0;
961966
962967 /* SDP_TRACE_DEBUG ("SDP - attr nest level:%d", nest_level); */
963968 if (nest_level >= MAX_NEST_LEVELS) {
964969 SDP_TRACE_ERROR("SDP - attr nesting too deep");
965- return (p_end);
970+ return p_attr_end;
966971 }
967972 if (is_additional_list != 0 ||
968973 attr_id == ATTR_ID_ADDITION_PROTO_DESC_LISTS)
969974 nest_level |= SDP_ADDITIONAL_LIST_MASK;
970975 /* SDP_TRACE_DEBUG ("SDP - attr nest level:0x%x(finish)", nest_level); */
971976
972- while (p < p_end) {
977+ while (p < p_attr_end) {
973978 /* Now, add the list entry */
974- p = add_attr(p, p_db, p_rec, 0, p_attr, (uint8_t)(nest_level + 1));
979+ p = add_attr(p, p_end, p_db, p_rec, 0, p_attr,
980+ (uint8_t)(nest_level + 1));
975981
976982 if (!p) return (NULL);
977983 }
@@ -989,7 +995,7 @@ static uint8_t* add_attr(uint8_t* p, tSDP_DISCOVERY_DB* p_db,
989995 break;
990996 default:
991997 SDP_TRACE_WARNING("SDP - bad len in boolean attr: %d", attr_len);
992- return (p + attr_len);
998+ return p_attr_end;
993999 }
9941000 break;
9951001