diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2008-06-24 00:26:47 +0000 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2008-06-24 00:26:47 +0000 |
commit | f39c79a261bf19109234df386959fc855d84d202 (patch) | |
tree | 6ebb46b7ba25bb62523d1bb568ad4a56dfc621cf /sdpd/request.c | |
parent | bf39ef3c93da52c445a181b840cbd45601979481 (diff) |
Use safe functions for the server PDU extraction
Diffstat (limited to 'sdpd/request.c')
-rw-r--r-- | sdpd/request.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/sdpd/request.c b/sdpd/request.c index 44b65f69..9020dd38 100644 --- a/sdpd/request.c +++ b/sdpd/request.c @@ -67,8 +67,9 @@ static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *p uint8_t dataType; int status = 0; const uint8_t *p; + int bufsize; - scanned = sdp_extract_seqtype(buf, &seqType, &data_size); + scanned = sdp_extract_seqtype_safe(buf, len, &seqType, &data_size); debug("Seq type : %d", seqType); if (!scanned || (seqType != SDP_SEQ8 && seqType != SDP_SEQ16)) { @@ -76,6 +77,7 @@ static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *p return -1; } p = buf + scanned; + bufsize = len - scanned; debug("Data size : %d", data_size); @@ -83,6 +85,11 @@ static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *p char *pElem = NULL; int localSeqLength = 0; + if (bufsize < sizeof(uint8_t)) { + debug("->Unexpected end of buffer"); + return -1; + } + dataType = *(uint8_t *)p; debug("Data type: 0x%02x", dataType); @@ -100,27 +107,42 @@ static int extract_des(uint8_t *buf, int len, sdp_list_t **svcReqSeq, uint8_t *p case SDP_UINT16: p += sizeof(uint8_t); seqlen += sizeof(uint8_t); + bufsize -= sizeof(uint8_t); + if (bufsize < sizeof(uint16_t)) { + debug("->Unexpected end of buffer"); + return -1; + } + pElem = malloc(sizeof(uint16_t)); bt_put_unaligned(ntohs(bt_get_unaligned((uint16_t *)p)), (uint16_t *)pElem); p += sizeof(uint16_t); seqlen += sizeof(uint16_t); + bufsize -= sizeof(uint16_t); break; case SDP_UINT32: p += sizeof(uint8_t); seqlen += sizeof(uint8_t); + bufsize -= sizeof(uint8_t); + if (bufsize < (int)sizeof(uint32_t)) { + debug("->Unexpected end of buffer"); + return -1; + } + pElem = malloc(sizeof(uint32_t)); bt_put_unaligned(ntohl(bt_get_unaligned((uint32_t *)p)), (uint32_t *)pElem); p += sizeof(uint32_t); seqlen += sizeof(uint32_t); + bufsize -= sizeof(uint32_t); break; case SDP_UUID16: case SDP_UUID32: case SDP_UUID128: pElem = malloc(sizeof(uuid_t)); - status = sdp_uuid_extract(p, (uuid_t *)pElem, &localSeqLength); + status = sdp_uuid_extract_safe(p, bufsize, (uuid_t *) pElem, &localSeqLength); if (status == 0) { seqlen += localSeqLength; p += localSeqLength; + bufsize -= localSeqLength; } break; default: |