blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-10 01:29:21 -04:00
Code Issues Projects Releases Wiki Activity

Merge branch 'bugfix/sdp_record_check' into 'master'

Browse Source 
fix(bt): Fixed SDP record integrity check bug

See merge request espressif/esp-idf!36891
This commit is contained in:
Wang Meng Yang 2025-02-14 09:10:39 +08:00
commit 472792eb8a
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
components/bt/host/bluedroid/api/esp_sdp_api.c
View File

@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@ -21,6 +21,10 @@ static bool esp_sdp_record_integrity_check(esp_bluetooth_sdp_record_t *record)
bool ret = true; bool ret = true;
if (record != NULL) { if (record != NULL) {
if (record->hdr.type < ESP_SDP_TYPE_RAW || record->hdr.type > ESP_SDP_TYPE_DIP_SERVER) {
LOG_ERROR("Invalid type!\n");
return false;
}
switch (record->hdr.type) { switch (record->hdr.type) {
case ESP_SDP_TYPE_DIP_SERVER: case ESP_SDP_TYPE_DIP_SERVER:
if (record->dip.vendor_id_source != ESP_SDP_VENDOR_ID_SRC_BT && if (record->dip.vendor_id_source != ESP_SDP_VENDOR_ID_SRC_BT &&
@ -43,12 +47,14 @@ static bool esp_sdp_record_integrity_check(esp_bluetooth_sdp_record_t *record)
break; break;
default: default:
break;
}
if (record->hdr.type != ESP_SDP_TYPE_DIP_SERVER) {
if (record->hdr.service_name_length > ESP_SDP_SERVER_NAME_MAX || if (record->hdr.service_name_length > ESP_SDP_SERVER_NAME_MAX ||
strlen(record->hdr.service_name) + 1 != record->hdr.service_name_length) { strlen(record->hdr.service_name) + 1 != record->hdr.service_name_length) {
LOG_ERROR("Invalid server name!\n"); LOG_ERROR("Invalid server name!\n");
ret = false; ret = false;
} }
break;
} }
} else { } else {
LOG_ERROR("record is NULL!\n"); LOG_ERROR("record is NULL!\n");