Mirrors/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-06-08 14:16:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix(bt/bluedroid): fixed an OOB write in SDP_AddAttribute

Browse Source
This commit is contained in:
Jin Cheng
2025-10-11 18:55:55 +08:00
parent 3ec5f615ae
commit 5a2b29fe82
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
components/bt/host/bluedroid/stack/sdp/sdp_db.c
View File

@@ -415,6 +415,10 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
tSDP_RECORD *p_rec = NULL;
list_node_t *p_node= NULL;
if (!p_val) {
return FALSE;
}
#if (BT_TRACE_VERBOSE == TRUE)
if (sdp_cb.trace_level >= BT_TRACE_LEVEL_DEBUG) {
if ((attr_type == UINT_DESC_TYPE) ||
@@ -448,6 +452,12 @@ BOOLEAN SDP_AddAttribute (UINT32 handle, UINT16 attr_id, UINT8 attr_type,
if (p_rec->record_handle == handle) {
tSDP_ATTRIBUTE *p_attr = &p_rec->attribute[0];
// error out early, no need to look up
if (p_rec->free_pad_ptr >= SDP_MAX_PAD_LEN) {
SDP_TRACE_ERROR("the free pad for SDP record with handle %d is full, skip adding the attribute", handle);
return (FALSE);
}
/* Found the record. Now, see if the attribute already exists */
for (xx = 0; xx < p_rec->num_attributes; xx++, p_attr++) {
/* The attribute exists. replace it */