diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2008-06-23 07:29:13 +0000 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2008-06-23 07:29:13 +0000 |
commit | ca0d3dc0bb5a573b44496847919cc02c9da2016f (patch) | |
tree | b05a14dc58f6fc2130c0192f54713dbd163c883b /src | |
parent | 121c632f01e3f49a69a9d637e0da4d25c2ee090d (diff) |
More validation of incoming packet lengths
Diffstat (limited to 'src')
-rw-r--r-- | src/sdp.c | 27 |
1 files changed, 27 insertions, 0 deletions
@@ -2643,6 +2643,13 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device, if (status < 0) goto end; + if (rspsize < sizeof(sdp_pdu_hdr_t)) { + SDPERR("Unexpected end of packet"); + errno = EPROTO; + status = -1; + goto end; + } + rsphdr = (sdp_pdu_hdr_t *) rsp; p = rsp + sizeof(sdp_pdu_hdr_t); @@ -2654,6 +2661,12 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device, errno = EPROTO; status = -1; } else { + if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint32_t)) { + SDPERR("Unexpected end of packet"); + errno = EPROTO; + status = -1; + goto end; + } if (handle) *handle = ntohl(bt_get_unaligned((uint32_t *) p)); } @@ -2749,6 +2762,13 @@ int sdp_device_record_unregister_binary(sdp_session_t *session, bdaddr_t *device if (status < 0) goto end; + if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) { + SDPERR("Unexpected end of packet"); + errno = EPROTO; + status = -1; + goto end; + } + rsphdr = (sdp_pdu_hdr_t *) rspbuf; p = rspbuf + sizeof(sdp_pdu_hdr_t); status = bt_get_unaligned((uint16_t *) p); @@ -2848,6 +2868,13 @@ int sdp_device_record_update(sdp_session_t *session, bdaddr_t *device, const sdp if (status < 0) goto end; + if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) { + SDPERR("Unexpected end of packet"); + errno = EPROTO; + status = -1; + goto end; + } + SDPDBG("Send req status : %d\n", status); rsphdr = (sdp_pdu_hdr_t *) rspbuf; |