From 43b25e2a2f34563d3e8d09b26e77d54cb6476643 Mon Sep 17 00:00:00 2001
From: Angus Gratton <angus@espressif.com>
Date: Wed, 27 Sep 2017 09:49:04 +1000
Subject: [PATCH] bluedroid: Add continuation offset check to SDP server

Fix for CVE-2017-0785
https://android.googlesource.com/platform/system/bt/+/818cf6f%5E%21/#F0
---
 components/bt/bluedroid/stack/sdp/sdp_server.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/components/bt/bluedroid/stack/sdp/sdp_server.c b/components/bt/bluedroid/stack/sdp/sdp_server.c
index 02a33793d..cd0e20790 100644
--- a/components/bt/bluedroid/stack/sdp/sdp_server.c
+++ b/components/bt/bluedroid/stack/sdp/sdp_server.c
@@ -223,7 +223,7 @@ static void process_service_search (tCONN_CB *p_ccb, UINT16 trans_num,
         }
         BE_STREAM_TO_UINT16 (cont_offset, p_req);
 
-        if (cont_offset != p_ccb->cont_offset) {
+        if (cont_offset != p_ccb->cont_offset || num_rsp_handles < cont_offset) {
             sdpu_build_n_send_error (p_ccb, trans_num, SDP_INVALID_CONT_STATE,
                                      SDP_TEXT_BAD_CONT_INX);
             return;