lib: Fix buffer overflow when processing SDP response

rsp_count is either read or calculated from untrusted input, and therefore needs to be checked before being used as offset. The "plen" variable is appropriate because it is calculated as the sum of fixed and variable length fields, excluding the continuation state field, which has at least 1 byte for its own length field.
author: Anderson Lizardo <anderson.lizardo@openbossa.org> 2013-02-03 21:20:43 -0400
committer: Johan Hedberg <johan.hedberg@intel.com> 2013-02-15 12:36:42 +0200
commit: 870fe03a79fa990c40f37f037e9236dba11811e2 (patch)
tree: cebeca554650a14485332c9f650f1683ea4f7e1e /lib/sdp.c
parent: 0d989313b39e52eff0b4ad6d4adf0b3dfbaf1179 (diff)
download: bluez-870fe03a79fa990c40f37f037e9236dba11811e2.tar.gz
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/sdp.c b/lib/sdp.c
index b87f392ac..7ab7379b5 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4189,6 +4189,17 @@ int sdp_process(sdp_session_t *session)
 		goto end;
 	}
 
+	/* Out of bound check before using rsp_count as offset for
+	 * continuation state, which has at least a one byte size
+	 * field.
+	 */
+	if ((n - (int) sizeof(sdp_pdu_hdr_t)) < plen + 1) {
+		t->err = EPROTO;
+		SDPERR("Protocol error: invalid PDU size");
+		status = SDP_INVALID_PDU_SIZE;
+		goto end;
+	}
+
 	pcstate = (sdp_cstate_t *) (pdata + rsp_count);
 
 	SDPDBG("Cstate length : %d\n", pcstate->length);
author	Anderson Lizardo <anderson.lizardo@openbossa.org>	2013-02-03 21:20:43 -0400
committer	Johan Hedberg <johan.hedberg@intel.com>	2013-02-15 12:36:42 +0200
commit	870fe03a79fa990c40f37f037e9236dba11811e2 (patch)
tree	cebeca554650a14485332c9f650f1683ea4f7e1e /lib/sdp.c
parent	0d989313b39e52eff0b4ad6d4adf0b3dfbaf1179 (diff)
download	bluez-870fe03a79fa990c40f37f037e9236dba11811e2.tar.gz