diff options
author | Anderson Lizardo <anderson.lizardo@openbossa.org> | 2013-02-03 21:20:43 -0400 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2013-02-15 12:36:42 +0200 |
commit | 870fe03a79fa990c40f37f037e9236dba11811e2 (patch) | |
tree | cebeca554650a14485332c9f650f1683ea4f7e1e /lib/sdp.c | |
parent | 0d989313b39e52eff0b4ad6d4adf0b3dfbaf1179 (diff) | |
download | bluez-870fe03a79fa990c40f37f037e9236dba11811e2.tar.gz |
lib: Fix buffer overflow when processing SDP response
rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
Diffstat (limited to 'lib/sdp.c')
-rw-r--r-- | lib/sdp.c | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -4189,6 +4189,17 @@ int sdp_process(sdp_session_t *session) goto end; } + /* Out of bound check before using rsp_count as offset for + * continuation state, which has at least a one byte size + * field. + */ + if ((n - (int) sizeof(sdp_pdu_hdr_t)) < plen + 1) { + t->err = EPROTO; + SDPERR("Protocol error: invalid PDU size"); + status = SDP_INVALID_PDU_SIZE; + goto end; + } + pcstate = (sdp_cstate_t *) (pdata + rsp_count); SDPDBG("Cstate length : %d\n", pcstate->length); |