diff options
author | Szymon Janc <szymon.janc@gmail.com> | 2013-06-26 22:26:35 +0200 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2013-07-10 12:36:34 +0300 |
commit | a7272970390f44fb42764252ead298ba664aee90 (patch) | |
tree | 996a78765c35e3a102bf5fc2635d9a8fd8597612 /lib/sdp.c | |
parent | ae672c6f3ed45263be3b57fe9f15b9f3417cfcc5 (diff) | |
download | bluez-a7272970390f44fb42764252ead298ba664aee90.tar.gz |
lib: Add range check for SDP_SVC_ATTR_RSP/SDP_SVC_SEARCH_ATTR_RSP
This is an improved version of recently reverted commit 1796f00e8465.
Response size is verified against minimal allowed value only if it is
complete response. If response is partial it is allowed by spec that
it will be split in arbitrary manner.
Verified against Nokia BH217 on which original commit caused
regression.
Diffstat (limited to 'lib/sdp.c')
-rw-r--r-- | lib/sdp.c | 8 |
1 files changed, 8 insertions, 0 deletions
@@ -4243,6 +4243,14 @@ int sdp_process(sdp_session_t *session) rsp_count = bt_get_be16(pdata); SDPDBG("Attrlist byte count : %d", rsp_count); + /* Valid range for rsp_count is 0x0002-0xFFFF */ + if (t->rsp_concat_buf.data_size == 0 && rsp_count < 0x0002) { + t->err = EPROTO; + SDPERR("Protocol error: invalid AttrList size"); + status = SDP_INVALID_PDU_SIZE; + goto end; + } + /* * Number of bytes in the AttributeLists parameter(without * continuation state) + AttributeListsByteCount field size. |