From b9a94d52c59f55318e7a7d0d5f199e4a633a7782 Mon Sep 17 00:00:00 2001
From: Hui Peng <phui@google.com>
Date: Sat, 14 Jan 2023 09:04:11 +0000
Subject: [PATCH] Fix an OOB bug in remove_sdp_record

Bug: 245517503
Test: manual
Ignore-AOSP-First: security
Change-Id: If768b0b2e11bbc4444835fda28e246e285a7e8ab
---
 system/btif/src/btif_sdp_server.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/system/btif/src/btif_sdp_server.cc b/system/btif/src/btif_sdp_server.cc
index ba166b60675..50d1e0afa5c 100644
--- a/system/btif/src/btif_sdp_server.cc
+++ b/system/btif/src/btif_sdp_server.cc
@@ -288,6 +288,10 @@ bt_status_t create_sdp_record(bluetooth_sdp_record* record,
 bt_status_t remove_sdp_record(int record_id) {
   int handle;
 
+  if (record_id >= MAX_SDP_SLOTS) {
+    return BT_STATUS_PARM_INVALID;
+  }
+
   bluetooth_sdp_record* record;
   bluetooth_sdp_types sdp_type = SDP_TYPE_RAW;
   {
-- 
GitLab