diff options
| author | Anderson Lizardo <anderson.lizardo@openbossa.org> | 2014-01-11 00:47:25 -0400 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2014-01-11 18:56:03 +0200 |
| commit | 88cdd5749c491ea26c080f79e1ac5b76b711f32b (patch) | |
| tree | 4f95fa9f509faecec6d137b9d0f16da1b3c87b0d /attrib/att.c | |
| parent | a9249eece7300d4e23ed8c6c5b5f10c5029db750 (diff) | |
| download | bluez-88cdd5749c491ea26c080f79e1ac5b76b711f32b.tar.gz | |
attrib: Reject incomplete PDU in dec_find_by_type_resp()
Otherwise, an incomplete PDU may be silently accepted (with any
remaining data discarded).
Diffstat (limited to 'attrib/att.c')
| -rw-r--r-- | attrib/att.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/attrib/att.c b/attrib/att.c index d36791860..c279b2ce4 100644 --- a/attrib/att.c +++ b/attrib/att.c @@ -334,12 +334,21 @@ GSList *dec_find_by_type_resp(const uint8_t *pdu, size_t len) GSList *matches; off_t offset; + /* PDU should contain at least: + * - Attribute Opcode (1 octet) + * - Handles Information List (at least one entry): + * - Found Attribute Handle (2 octets) + * - Group End Handle (2 octets) */ if (pdu == NULL || len < 5) return NULL; if (pdu[0] != ATT_OP_FIND_BY_TYPE_RESP) return NULL; + /* Reject incomplete Handles Information List */ + if ((len - 1) % 4) + return NULL; + for (offset = 1, matches = NULL; len >= (offset + sizeof(uint16_t) * 2); offset += sizeof(uint16_t) * 2) { |