diff options
author | Claudio Takahasi <claudio.takahasi@openbossa.org> | 2012-06-20 14:27:43 -0300 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2012-06-27 15:49:18 +0300 |
commit | 2f8cd0cb7eb9a4bceb1cec221ccd21f76d66f318 (patch) | |
tree | 00f40acac4e8fbd3a65a12d120aad977dedd6345 /attrib/att.c | |
parent | f0478f073aff412552b568df96b2e6a5fd68c474 (diff) | |
download | bluez-2f8cd0cb7eb9a4bceb1cec221ccd21f76d66f318.tar.gz |
ATT: Avoid invalid memory access for large PDU
This patch avoids invalid memory access when decoding ATT read response
PDUs. The ATT_MTU value is a per ATT Bearer value defined by the higher
layer specification.
Diffstat (limited to 'attrib/att.c')
-rw-r--r-- | attrib/att.c | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/attrib/att.c b/attrib/att.c index c8e2e1d9d..0550ac13a 100644 --- a/attrib/att.c +++ b/attrib/att.c @@ -681,22 +681,23 @@ uint16_t enc_read_blob_resp(uint8_t *value, int vlen, uint16_t offset, return vlen + 1; } -uint16_t dec_read_resp(const uint8_t *pdu, int len, uint8_t *value, int *vlen) +ssize_t dec_read_resp(const uint8_t *pdu, int len, uint8_t *value, int vlen) { if (pdu == NULL) - return 0; + return -EINVAL; - if (value == NULL || vlen == NULL) - return 0; + if (value == NULL) + return -EINVAL; if (pdu[0] != ATT_OP_READ_RESP) - return 0; + return -EINVAL; - memcpy(value, pdu + 1, len - 1); + if (vlen < (len - 1)) + return -ENOBUFS; - *vlen = len - 1; + memcpy(value, pdu + 1, len - 1); - return len; + return len - 1; } uint16_t enc_error_resp(uint8_t opcode, uint16_t handle, uint8_t status, |