Fix OOB read in add_attr

It is possible in exceptional cases for add_attr to be passed a p pointer one byte short of its p_end pointer, which leads to an OOB read as it attempts to read the type of the next attribute. Add a check for this. Bug: 367274727 Test: m libbluetooth Ignore-AOSP-First: security Tag: security Flag: EXEMPT trivial validity check (cherry picked from https://googleplex-android-review.googlesource.com/q/commit:319bb08af014e30654548c679f5e1cb2721c0c60) Merged-In: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe Change-Id: Ic3079c4c2d6933355cf4e8444e8f25ebedeafefe
author: Brian Delwiche <delwiche@google.com> 2025-02-13 18:08:30 +0000
committer: aoleary <seanm187@gmail.com> 2025-07-09 07:12:45 +0000
commit: edecf1f7bf61a67722621145a8bdb62b66fb6776 (patch)
tree: 35d5a54bc06885959e290ee84d93facf2de63403
parent: c251f67ec67d0dda4f8203a8bbaa3ba3c973e391 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/system/stack/sdp/sdp_discovery.cc b/system/stack/sdp/sdp_discovery.cc
index 2e8c63ebc7..bf7f454536 100644
--- a/system/stack/sdp/sdp_discovery.cc
+++ b/system/stack/sdp/sdp_discovery.cc
@@ -844,6 +844,11 @@ static uint8_t* add_attr(uint8_t* p, uint8_t* p_end, tSDP_DISCOVERY_DB* p_db,
 
   nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);
 
+  if (p + sizeof(uint8_t) > p_end) {
+    SDP_TRACE_WARNING("bad arguments to add_addr", __func__);
+    return NULL;
+  }
+
   type = *p++;
   p = sdpu_get_len_from_type(p, p_end, type, &attr_len);
   if (p == NULL || (p + attr_len) > p_end) {
author	Brian Delwiche <delwiche@google.com>	2025-02-13 18:08:30 +0000
committer	aoleary <seanm187@gmail.com>	2025-07-09 07:12:45 +0000
commit	edecf1f7bf61a67722621145a8bdb62b66fb6776 (patch)
tree	35d5a54bc06885959e290ee84d93facf2de63403
parent	c251f67ec67d0dda4f8203a8bbaa3ba3c973e391 (diff)