android/avctp: Add proper checks for invalid browsing PDUs

author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2014-04-16 09:16:19 +0300
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2014-04-25 15:05:23 +0300
commit: c621375e83f070b3d377d97b66290e4db5831af1 (patch)
tree: 64a073eff4fb8f5ad5ac5c698c6f1cab500bec71 /android/avctp.c
parent: bf1d6f9bed76ff803a6f369634568cde09d8f6ae (diff)
download: bluez-c621375e83f070b3d377d97b66290e4db5831af1.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/android/avctp.c b/android/avctp.c
index 4556ceb0a..94f84ad4d 100644
--- a/android/avctp.c
+++ b/android/avctp.c
@@ -814,10 +814,17 @@ static gboolean session_browsing_cb(GIOChannel *chan, GIOCondition cond,
 	if (ret <= 0)
 		goto failed;
 
+	if (ret < AVCTP_HEADER_LENGTH) {
+		error("Too small AVCTP packet");
+		goto failed;
+	}
+
 	avctp = (struct avctp_header *) buf;
 
-	if (avctp->packet_type != AVCTP_PACKET_SINGLE)
+	if (avctp->packet_type != AVCTP_PACKET_SINGLE) {
+		error("Invalid packet type");
 		goto failed;
+	}
 
 	operands = buf + AVCTP_HEADER_LENGTH;
 	ret -= AVCTP_HEADER_LENGTH;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2014-04-16 09:16:19 +0300
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2014-04-25 15:05:23 +0300
commit	c621375e83f070b3d377d97b66290e4db5831af1 (patch)
tree	64a073eff4fb8f5ad5ac5c698c6f1cab500bec71 /android/avctp.c
parent	bf1d6f9bed76ff803a6f369634568cde09d8f6ae (diff)
download	bluez-c621375e83f070b3d377d97b66290e4db5831af1.tar.gz