avrcp: Fix not checking if params_len match number of received bytes

This makes sure the number of bytes in the params_len matches the remaining bytes received so the code don't end up accessing invalid memory.
author: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2021-04-29 18:18:57 -0700
committer: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> 2021-05-04 16:56:18 -0700
commit: e2b0f0d8d63e1223bb714a9efb37e2257818268b (patch)
tree: 8094bc66dfd2de999e902bda1a507cbdc5c3d542 /profiles
parent: 7a80d2096f1b7125085e21448112aa02f49f5e9a (diff)
download: bluez-e2b0f0d8d63e1223bb714a9efb37e2257818268b.tar.gz
1 files changed, 8 insertions, 0 deletions
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 05dd791de..c6a342ee3 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
 		goto err_metadata;
 	}
 
+	operands += sizeof(*pdu);
+	operand_count -= sizeof(*pdu);
+
+	if (pdu->params_len != operand_count) {
+		DBG("AVRCP PDU parameters length don't match");
+		pdu->params_len = operand_count;
+	}
+
 	for (handler = session->control_handlers; handler->pdu_id; handler++) {
 		if (handler->pdu_id == pdu->pdu_id)
 			break;
author	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2021-04-29 18:18:57 -0700
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>	2021-05-04 16:56:18 -0700
commit	e2b0f0d8d63e1223bb714a9efb37e2257818268b (patch)
tree	8094bc66dfd2de999e902bda1a507cbdc5c3d542 /profiles
parent	7a80d2096f1b7125085e21448112aa02f49f5e9a (diff)
download	bluez-e2b0f0d8d63e1223bb714a9efb37e2257818268b.tar.gz