From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Brian Delwiche Date: Fri, 12 Aug 2022 17:26:19 +0000 Subject: [PATCH] Add negative length check in process_service_search_rsp Bug: 225876506 Test: run supplied POC (updated to Android T) Tag: #security Ignore-AOSP-First: Security Change-Id: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca (cherry picked from commit 18d69eb958493d4879786e2edb42ff4e60334a2f) Merged-In: I0054806e47ed9d6eb8b034a41c8c872fee7f1eca --- stack/sdp/sdp_discovery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stack/sdp/sdp_discovery.c b/stack/sdp/sdp_discovery.c index 6f6fe2b15..ec85da47a 100644 --- a/stack/sdp/sdp_discovery.c +++ b/stack/sdp/sdp_discovery.c @@ -309,7 +309,7 @@ static void process_service_search_rsp (tCONN_CB* p_ccb, uint8_t* p_reply, orig = p_ccb->num_handles; p_ccb->num_handles += cur_handles; - if (p_ccb->num_handles == 0) + if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) { SDP_TRACE_WARNING ("SDP - Rcvd ServiceSearchRsp, no matches"); sdp_disconnect (p_ccb, SDP_NO_RECS_MATCH);