attrib: Add extra PDU checks when decoding Read by Group Type Response

These checks are needed to avoid invalid memory access on bogus PDUs.
author: Anderson Lizardo <anderson.lizardo@openbossa.org> 2014-01-11 00:47:22 -0400
committer: Johan Hedberg <johan.hedberg@intel.com> 2014-01-11 18:56:03 +0200
commit: ef97296c20ea305b3214323487c42e727ce7aead (patch)
tree: c09740589960465795fc5cf7e93150f07ba092d3 /attrib
parent: a5e6aafdf714b9249677f20fe79205f25359ae1e (diff)
download: bluez-ef97296c20ea305b3214323487c42e727ce7aead.tar.gz
1 files changed, 18 insertions, 0 deletions
diff --git a/attrib/att.c b/attrib/att.c
index 472c25c70..777ef464c 100644
--- a/attrib/att.c
+++ b/attrib/att.c
@@ -211,7 +211,25 @@ struct att_data_list *dec_read_by_grp_resp(const uint8_t *pdu, size_t len)
 	if (pdu[0] != ATT_OP_READ_BY_GROUP_RESP)
 		return NULL;
 
+	/* PDU must contain at least:
+	 * - Attribute Opcode (1 octet)
+	 * - Length (1 octet)
+	 * - Attribute Data List (at least one entry):
+	 *   - Attribute Handle (2 octets)
+	 *   - End Group Handle (2 octets)
+	 *   - Attribute Value (at least 1 octet) */
+	if (len < 7)
+		return NULL;
+
 	elen = pdu[1];
+	/* Minimum Attribute Data List size */
+	if (elen < 5)
+		return NULL;
+
+	/* Reject incomplete Attribute Data List */
+	if ((len - 2) % elen)
+		return NULL;
+
 	num = (len - 2) / elen;
 	list = att_data_list_alloc(num, elen);
 	if (list == NULL)
author	Anderson Lizardo <anderson.lizardo@openbossa.org>	2014-01-11 00:47:22 -0400
committer	Johan Hedberg <johan.hedberg@intel.com>	2014-01-11 18:56:03 +0200
commit	ef97296c20ea305b3214323487c42e727ce7aead (patch)
tree	c09740589960465795fc5cf7e93150f07ba092d3 /attrib
parent	a5e6aafdf714b9249677f20fe79205f25359ae1e (diff)
download	bluez-ef97296c20ea305b3214323487c42e727ce7aead.tar.gz