diff options
author | Par-Gunnar Hjalmdahl <par-gunnar.hjalmdahl@stericsson.com> | 2012-07-27 11:06:40 +0200 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2012-08-15 15:42:06 +0300 |
commit | 2b44cd2fba6e9a8590f30e68db0f6b92e8fcdb94 (patch) | |
tree | b2ed8f31ba5e80480b6a2a0ca8426760f9888674 /profiles/network | |
parent | 04be4fe0c0126f8816d55a7d3a8ff9e6dd27f73f (diff) | |
download | bluez-2b44cd2fba6e9a8590f30e68db0f6b92e8fcdb94.tar.gz |
network: Check full BNEP UUID
This patch fixes an issue where only the 2 bytes containing the service
ID was checked from the BNEP UUID. Fixes behavior for BT test cases
TP/PAN/MISC/UUID/BV-01-C & TP/PAN/MISC/UUID/BV-02-C.
Diffstat (limited to 'profiles/network')
-rw-r--r-- | profiles/network/server.c | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/profiles/network/server.c b/profiles/network/server.c index 480c7e2c5..8ae608cdb 100644 --- a/profiles/network/server.c +++ b/profiles/network/server.c @@ -301,7 +301,10 @@ static uint16_t bnep_setup_chk(uint16_t dst_role, uint16_t src_role) static uint16_t bnep_setup_decode(struct bnep_setup_conn_req *req, uint16_t *dst_role, uint16_t *src_role) { + const uint8_t bt_base[] = { 0x00, 0x00, 0x10, 0x00, 0x80, 0x00, + 0x00, 0x80, 0x5F, 0x9B, 0x34, 0xFB }; uint8_t *dest, *source; + uint32_t val; dest = req->service; source = req->service + req->uuid_size; @@ -311,10 +314,27 @@ static uint16_t bnep_setup_decode(struct bnep_setup_conn_req *req, *dst_role = bt_get_be16(dest); *src_role = bt_get_be16(source); break; - case 4: /* UUID32 */ case 16: /* UUID128 */ - *dst_role = bt_get_be32(dest); - *src_role = bt_get_be32(source); + /* Check that the bytes in the UUID, except the service ID + * itself, are correct. The service ID is checked in + * bnep_setup_chk(). */ + if (memcmp(&dest[4], bt_base, sizeof(bt_base)) != 0) + return BNEP_CONN_INVALID_DST; + if (memcmp(&source[4], bt_base, sizeof(bt_base)) != 0) + return BNEP_CONN_INVALID_SRC; + + /* Intentional no-break */ + + case 4: /* UUID32 */ + val = bt_get_be32(dest); + if (val > 0xffff) + return BNEP_CONN_INVALID_DST; + *dst_role = val; + + val = bt_get_be32(source); + if (val > 0xffff) + return BNEP_CONN_INVALID_SRC; + *src_role = val; break; default: return BNEP_CONN_INVALID_SVC; |