diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2021-04-29 18:18:57 -0700 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2021-05-04 16:56:18 -0700 |
commit | e2b0f0d8d63e1223bb714a9efb37e2257818268b (patch) | |
tree | 8094bc66dfd2de999e902bda1a507cbdc5c3d542 /profiles | |
parent | 7a80d2096f1b7125085e21448112aa02f49f5e9a (diff) | |
download | bluez-e2b0f0d8d63e1223bb714a9efb37e2257818268b.tar.gz |
avrcp: Fix not checking if params_len match number of received bytes
This makes sure the number of bytes in the params_len matches the
remaining bytes received so the code don't end up accessing invalid
memory.
Diffstat (limited to 'profiles')
-rw-r--r-- | profiles/audio/avrcp.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index 05dd791de..c6a342ee3 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, goto err_metadata; } + operands += sizeof(*pdu); + operand_count -= sizeof(*pdu); + + if (pdu->params_len != operand_count) { + DBG("AVRCP PDU parameters length don't match"); + pdu->params_len = operand_count; + } + for (handler = session->control_handlers; handler->pdu_id; handler++) { if (handler->pdu_id == pdu->pdu_id) break; |