diff options
| author | Claudio Takahasi <claudio.takahasi@openbossa.org> | 2014-04-01 14:33:30 -0300 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2014-04-03 10:20:39 +0300 |
| commit | 2514293cd2c635dda51d3a562dd876056bb6c6c7 (patch) | |
| tree | 8d6ebe5a14e80ea2c35b56db50b5c6e558c37ad9 /attrib | |
| parent | 58c09774c82193b1dc958260f9d792068833a39a (diff) | |
| download | bluez-2514293cd2c635dda51d3a562dd876056bb6c6c7.tar.gz | |
attrib: Improve Attribute Data length checking
According to Core SPEC, attribute data list must be grouped in elements
of the same size.
Diffstat (limited to 'attrib')
| -rw-r--r-- | attrib/gatt.c | 40 |
1 files changed, 17 insertions, 23 deletions
diff --git a/attrib/gatt.c b/attrib/gatt.c index 5ae20f453..49cd1a3bd 100644 --- a/attrib/gatt.c +++ b/attrib/gatt.c @@ -254,6 +254,16 @@ static void primary_all_cb(guint8 status, const guint8 *ipdu, guint16 iplen, goto done; } + if (list->len == 6) + type = BT_UUID16; + else if (list->len == 20) + type = BT_UUID128; + else { + att_data_list_free(list); + err = ATT_ECODE_INVALID_PDU; + goto done; + } + for (i = 0, end = 0; i < list->num; i++) { const uint8_t *data = list->data[i]; struct gatt_primary *primary; @@ -262,19 +272,6 @@ static void primary_all_cb(guint8 status, const guint8 *ipdu, guint16 iplen, start = get_le16(&data[0]); end = get_le16(&data[2]); - /* - * FIXME: Check before "for". Elements in the Attribute - * Data List have the same length (list->len). - */ - if (list->len == 6) - type = BT_UUID16; - else if (list->len == 20) - type = BT_UUID128; - else { - /* Skipping invalid data */ - continue; - } - get_uuid128(type, &data[4], &uuid128); primary = g_try_new0(struct gatt_primary, 1); @@ -507,6 +504,7 @@ static void char_discovered_cb(guint8 status, const guint8 *ipdu, guint16 iplen, struct att_data_list *list; unsigned int i, err = ATT_ECODE_ATTR_NOT_FOUND; uint16_t last = 0; + uint8_t type; if (status) { err = status; @@ -519,23 +517,18 @@ static void char_discovered_cb(guint8 status, const guint8 *ipdu, guint16 iplen, goto done; } + if (list->len == 7) + type = BT_UUID16; + else + type = BT_UUID128; + for (i = 0; i < list->num; i++) { uint8_t *value = list->data[i]; struct gatt_char *chars; bt_uuid_t uuid128; - uint8_t type; last = get_le16(value); - /* - * FIXME: Check before "for". Elements in the Attribute - * Data List have the same length (list->len). - */ - if (list->len == 7) - type = BT_UUID16; - else - type = BT_UUID128; - get_uuid128(type, &value[5], &uuid128); if (dc->uuid && bt_uuid_cmp(dc->uuid, &uuid128)) @@ -543,6 +536,7 @@ static void char_discovered_cb(guint8 status, const guint8 *ipdu, guint16 iplen, chars = g_try_new0(struct gatt_char, 1); if (!chars) { + att_data_list_free(list); err = ATT_ECODE_INSUFF_RESOURCES; goto done; } |