sdp: Fix Out-of-bounds heap read in service_search_attr_req function

Check if there is enough data to continue otherwise return an error.
(CVE-2017-1000250)

Change-Id: Iedcc39a0706b0052aeb167c77f2da2b5597f91ce
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>

diff --git a/src/sdpd-request.c b/src/sdpd-request.c
index 1eefdce..318d044 100644 (file)
--- a/src/sdpd-request.c
+++ b/src/sdpd-request.c
@@ -917,7 +917,7 @@ static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
        } else {
                /* continuation State exists -> get from cache */
                sdp_buf_t *pCache = sdp_get_cached_rsp(cstate);
-               if (pCache) {
+               if (pCache && cstate->cStateValue.maxBytesSent < pCache->data_size) {
                        uint16_t sent = MIN(max, pCache->data_size - cstate->cStateValue.maxBytesSent);
                        pResponse = pCache->data;
                        memcpy(buf->data, pResponse + cstate->cStateValue.maxBytesSent, sent);