diff options
| author | Iain Hibbert <plunky@rya-online.net> | 2010-02-17 18:58:37 +0000 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2012-12-17 23:53:00 +0100 |
| commit | b1cf1d94a05dc0c7c2009ffed540d804fc83da61 (patch) | |
| tree | 05b0ac3d63862358c11dffcfecf8ad5c92de745e /tools/parser/obex.c | |
| parent | 053d539a7b7291c3e8b8b93dc2e54f467e4b8e5a (diff) | |
| download | bluez-b1cf1d94a05dc0c7c2009ffed540d804fc83da61.tar.gz | |
hcidump: Prevent buffer overruns when parsing invalid OBEX frames
Diffstat (limited to 'tools/parser/obex.c')
| -rw-r--r-- | tools/parser/obex.c | 47 |
1 files changed, 41 insertions, 6 deletions
diff --git a/tools/parser/obex.c b/tools/parser/obex.c index 133f2a2e3..50b9737cc 100644 --- a/tools/parser/obex.c +++ b/tools/parser/obex.c @@ -200,27 +200,55 @@ static void parse_headers(int level, struct frame *frm) printf("%s (0x%02x)", hi2str(hi), hi); switch (hi & 0xc0) { case 0x00: /* Unicode */ + if (frm->len < 2) { + printf("\n"); + return; + } + len = get_u16(frm) - 3; printf(" = Unicode length %d\n", len); + + if (frm->len < len) + return; + raw_ndump(level, frm, len); frm->ptr += len; frm->len -= len; break; case 0x40: /* Byte sequence */ + if (frm->len < 2) { + printf("\n"); + return; + } + len = get_u16(frm) - 3; printf(" = Sequence length %d\n", len); + + if (frm->len < len) + return; + raw_ndump(level, frm, len); frm->ptr += len; frm->len -= len; break; case 0x80: /* One byte */ + if (frm->len < 1) { + printf("\n"); + return; + } + hv8 = get_u8(frm); printf(" = %d\n", hv8); break; case 0xc0: /* Four bytes */ + if (frm->len < 4) { + printf("\n"); + return; + } + hv32 = get_u32(frm); printf(" = %u\n", hv32); break; @@ -276,6 +304,11 @@ void obex_dump(int level, struct frame *frm) switch (opcode & 0x7f) { case 0x00: /* Connect */ + if (frm->len < 4) { + printf("\n"); + return; + } + version = get_u8(frm); flags = get_u8(frm); pktlen = get_u16(frm); @@ -284,17 +317,19 @@ void obex_dump(int level, struct frame *frm) break; case 0x05: /* SetPath */ - if (length > 3) { - flags = get_u8(frm); - constants = get_u8(frm); - printf(" flags %d constants %d\n", - flags, constants); - } else + if (frm->len < 2) { printf("\n"); + return; + } + + flags = get_u8(frm); + constants = get_u8(frm); + printf(" flags %d constants %d\n", flags, constants); break; default: printf("\n"); + break; } if ((status & 0x70) && (parser.flags & DUMP_VERBOSE)) { |