lib: Add range check for SDP_SVC_ATTR_RSP/SDP_SVC_SEARCH_ATTR_RSP

This is an improved version of recently reverted commit 1796f00e8465. Response size is verified against minimal allowed value only if it is complete response. If response is partial it is allowed by spec that it will be split in arbitrary manner. Verified against Nokia BH217 on which original commit caused regression.
author: Szymon Janc <szymon.janc@gmail.com> 2013-06-26 22:26:35 +0200
committer: Johan Hedberg <johan.hedberg@intel.com> 2013-07-10 12:36:34 +0300
commit: a7272970390f44fb42764252ead298ba664aee90 (patch)
tree: 996a78765c35e3a102bf5fc2635d9a8fd8597612 /lib/sdp.c
parent: ae672c6f3ed45263be3b57fe9f15b9f3417cfcc5 (diff)
download: bluez-a7272970390f44fb42764252ead298ba664aee90.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/lib/sdp.c b/lib/sdp.c
index d8bfc51e4..54a99b6a4 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4243,6 +4243,14 @@ int sdp_process(sdp_session_t *session)
 		rsp_count = bt_get_be16(pdata);
 		SDPDBG("Attrlist byte count : %d", rsp_count);
 
+		/* Valid range for rsp_count is 0x0002-0xFFFF */
+		if (t->rsp_concat_buf.data_size == 0 && rsp_count < 0x0002) {
+			t->err = EPROTO;
+			SDPERR("Protocol error: invalid AttrList size");
+			status = SDP_INVALID_PDU_SIZE;
+			goto end;
+		}
+
 		/*
 		 * Number of bytes in the AttributeLists parameter(without
 		 * continuation state) + AttributeListsByteCount field size.
author	Szymon Janc <szymon.janc@gmail.com>	2013-06-26 22:26:35 +0200
committer	Johan Hedberg <johan.hedberg@intel.com>	2013-07-10 12:36:34 +0300
commit	a7272970390f44fb42764252ead298ba664aee90 (patch)
tree	996a78765c35e3a102bf5fc2635d9a8fd8597612 /lib/sdp.c
parent	ae672c6f3ed45263be3b57fe9f15b9f3417cfcc5 (diff)
download	bluez-a7272970390f44fb42764252ead298ba664aee90.tar.gz