summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/sdp.c27
1 files changed, 27 insertions, 0 deletions
diff --git a/src/sdp.c b/src/sdp.c
index 4217aedd..f8953c42 100644
--- a/src/sdp.c
+++ b/src/sdp.c
@@ -2643,6 +2643,13 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device,
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
rsphdr = (sdp_pdu_hdr_t *) rsp;
p = rsp + sizeof(sdp_pdu_hdr_t);
@@ -2654,6 +2661,12 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device,
errno = EPROTO;
status = -1;
} else {
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint32_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
if (handle)
*handle = ntohl(bt_get_unaligned((uint32_t *) p));
}
@@ -2749,6 +2762,13 @@ int sdp_device_record_unregister_binary(sdp_session_t *session, bdaddr_t *device
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
p = rspbuf + sizeof(sdp_pdu_hdr_t);
status = bt_get_unaligned((uint16_t *) p);
@@ -2848,6 +2868,13 @@ int sdp_device_record_update(sdp_session_t *session, bdaddr_t *device, const sdp
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
SDPDBG("Send req status : %d\n", status);
rsphdr = (sdp_pdu_hdr_t *) rspbuf;