From 86a2b9551e7352b6f9115c0b057b0d9133079e25 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Tue, 24 Jun 2008 00:22:20 +0000
Subject: Use the safe versions for SDP record extraction

---
 common/glib-helper.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/common/glib-helper.c b/common/glib-helper.c
index eab30b5e..931b99a5 100644
--- a/common/glib-helper.c
+++ b/common/glib-helper.c
@@ -115,7 +115,7 @@ static void search_completed_cb(uint8_t type, uint16_t status,
 {
 	struct search_context *ctxt = user_data;
 	sdp_list_t *recs = NULL;
-	int scanned, seqlen = 0;
+	int scanned, seqlen = 0, bytesleft = size;
 	uint8_t dataType;
 	int err = 0;
 
@@ -124,17 +124,18 @@ static void search_completed_cb(uint8_t type, uint16_t status,
 		goto done;
 	}
 
-	scanned = sdp_extract_seqtype(rsp, &dataType, &seqlen);
+	scanned = sdp_extract_seqtype_safe(rsp, bytesleft, &dataType, &seqlen);
 	if (!scanned || !seqlen)
 		goto done;
 
 	rsp += scanned;
+	bytesleft -= scanned;
 	do {
 		sdp_record_t *rec;
 		int recsize;
 
 		recsize = 0;
-		rec = sdp_extract_pdu(rsp, &recsize);
+		rec = sdp_extract_pdu_safe(rsp, bytesleft, &recsize);
 		if (!rec)
 			break;
 
@@ -145,9 +146,10 @@ static void search_completed_cb(uint8_t type, uint16_t status,
 
 		scanned += recsize;
 		rsp += recsize;
+		bytesleft -= recsize;
 
 		recs = sdp_list_append(recs, rec);
-	} while (scanned < size);
+	} while (scanned < size && bytesleft > 0);
 
 done:
 	sdp_close(ctxt->session);
-- 
cgit