From bf39ef3c93da52c445a181b840cbd45601979481 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Tue, 24 Jun 2008 00:24:08 +0000
Subject: Use safe PDU extract functions

---
 hcid/dbus-database.c |  4 ++--
 hcid/dbus-sdp.c      | 13 +++++++------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/hcid/dbus-database.c b/hcid/dbus-database.c
index c6a689d2..ab88c8f5 100644
--- a/hcid/dbus-database.c
+++ b/hcid/dbus-database.c
@@ -119,7 +119,7 @@ static DBusMessage *add_service_record(DBusConnection *conn,
 	if (len <= 0)
 		return invalid_arguments(msg);
 
-	sdp_record = sdp_extract_pdu(record, &scanned);
+	sdp_record = sdp_extract_pdu_safe(record, len, &scanned);
 	if (!sdp_record) {
 		error("Parsing of service record failed");
 		return failed(msg);
@@ -263,7 +263,7 @@ static DBusMessage *update_service_record(DBusConnection *conn,
 	if (!user_record)
 		return not_available(msg);
 
-	sdp_record = sdp_extract_pdu(bin_record, &scanned);
+	sdp_record = sdp_extract_pdu_safe(bin_record, size, &scanned);
 	if (!sdp_record) {
 		error("Parsing of service record failed");
 		return invalid_arguments(msg);
diff --git a/hcid/dbus-sdp.c b/hcid/dbus-sdp.c
index cf018f1e..441e8233 100644
--- a/hcid/dbus-sdp.c
+++ b/hcid/dbus-sdp.c
@@ -499,7 +499,7 @@ static void remote_svc_rec_completed_cb(uint8_t type, uint16_t err,
 	dbus_message_iter_open_container(&iter, DBUS_TYPE_ARRAY,
 			DBUS_TYPE_BYTE_AS_STRING, &array_iter);
 
-	rec = sdp_extract_pdu(rsp, &scanned);
+	rec = sdp_extract_pdu_safe(rsp, size, &scanned);
 	if (rec == NULL || size != scanned) {
 		error("Invalid service record!");
 		goto done;
@@ -562,7 +562,7 @@ static void remote_svc_rec_completed_xml_cb(uint8_t type, uint16_t err,
 
 	reply = dbus_message_new_method_return(ctxt->rq);
 
-	rec = sdp_extract_pdu(rsp, &scanned);
+	rec = sdp_extract_pdu_safe(rsp, size, &scanned);
 	if (rec == NULL || size != scanned) {
 		error("Invalid service record!");
 		goto done;
@@ -730,7 +730,7 @@ static void remote_svc_identifiers_completed_cb(uint8_t type, uint16_t err,
 	char **identifiers;
 	DBusMessage *reply;
 	GSList *l = NULL;
-	int scanned, extracted = 0, len = 0, recsize = 0;
+	int scanned, extracted = 0, len = 0, recsize = 0, bytesleft = size;
 	uint8_t dtd = 0;
 
 	if (!ctxt)
@@ -762,14 +762,15 @@ static void remote_svc_identifiers_completed_cb(uint8_t type, uint16_t err,
 		goto failed;
 	}
 
-	scanned = sdp_extract_seqtype(rsp, &dtd, &len);
+	scanned = sdp_extract_seqtype_safe(rsp, bytesleft, &dtd, &len);
 	rsp += scanned;
-	for (; extracted < len; rsp += recsize, extracted += recsize) {
+	bytesleft -= scanned;
+	for (; extracted < len; rsp += recsize, extracted += recsize, bytesleft -= recsize) {
 		sdp_record_t *rec;
 		sdp_data_t *d;
 
 		recsize = 0;
-		rec = sdp_extract_pdu(rsp, &recsize);
+		rec = sdp_extract_pdu_safe(rsp, bytesleft, &recsize);
 		if (!rec)
 			break;
 
-- 
cgit