From 797daed7797c70862b5dc23f50c28981226d1552 Mon Sep 17 00:00:00 2001
From: Brian Delwiche <delwiche@google.com>
Date: Thu, 4 Aug 2022 17:26:25 +0000
Subject: [PATCH] Add negative length check in process_service_search_rsp

Bug:225876506
Test: run supplied POC (updated to Android T)
Tag: #security
Ignore-AOSP-First: Security

Change-Id: I0eb0f20eb03e6490ba6c20b3e79c97970c275d9e
---
 system/stack/sdp/sdp_discovery.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/system/stack/sdp/sdp_discovery.cc b/system/stack/sdp/sdp_discovery.cc
index bd8af8eb28d..a6ad62bf22f 100644
--- a/system/stack/sdp/sdp_discovery.cc
+++ b/system/stack/sdp/sdp_discovery.cc
@@ -280,7 +280,7 @@ static void process_service_search_rsp(tCONN_CB* p_ccb, uint8_t* p_reply,
 
   orig = p_ccb->num_handles;
   p_ccb->num_handles += cur_handles;
-  if (p_ccb->num_handles == 0) {
+  if (p_ccb->num_handles == 0 || p_ccb->num_handles < orig) {
     SDP_TRACE_WARNING("SDP - Rcvd ServiceSearchRsp, no matches");
     sdp_disconnect(p_ccb, SDP_NO_RECS_MATCH);
     return;
-- 
GitLab