diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2014-04-16 09:16:19 +0300 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2014-04-25 15:05:23 +0300 |
commit | c621375e83f070b3d377d97b66290e4db5831af1 (patch) | |
tree | 64a073eff4fb8f5ad5ac5c698c6f1cab500bec71 /android/avctp.c | |
parent | bf1d6f9bed76ff803a6f369634568cde09d8f6ae (diff) | |
download | bluez-c621375e83f070b3d377d97b66290e4db5831af1.tar.gz |
android/avctp: Add proper checks for invalid browsing PDUs
Diffstat (limited to 'android/avctp.c')
-rw-r--r-- | android/avctp.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/android/avctp.c b/android/avctp.c index 4556ceb0a..94f84ad4d 100644 --- a/android/avctp.c +++ b/android/avctp.c @@ -814,10 +814,17 @@ static gboolean session_browsing_cb(GIOChannel *chan, GIOCondition cond, if (ret <= 0) goto failed; + if (ret < AVCTP_HEADER_LENGTH) { + error("Too small AVCTP packet"); + goto failed; + } + avctp = (struct avctp_header *) buf; - if (avctp->packet_type != AVCTP_PACKET_SINGLE) + if (avctp->packet_type != AVCTP_PACKET_SINGLE) { + error("Invalid packet type"); goto failed; + } operands = buf + AVCTP_HEADER_LENGTH; ret -= AVCTP_HEADER_LENGTH; |