From d039784990775ec85aa51f080b2db9feb0604a35 Mon Sep 17 00:00:00 2001
From: Claudio Takahasi <claudio.takahasi@openbossa.org>
Date: Thu, 30 Aug 2007 14:14:53 +0000
Subject: network: more robust bnep setup conn msg validation

---
 network/server.c | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/network/server.c b/network/server.c
index 5a441ee6..672fd555 100644
--- a/network/server.c
+++ b/network/server.c
@@ -423,10 +423,10 @@ static gboolean connect_setup_event(GIOChannel *chan,
 	struct bnep_setup_conn_req *req;
 	unsigned char pkt[BNEP_MTU];
 	char path[MAX_PATH_LENGTH];
-	gsize n;
-	GIOError gerr;
-	uint8_t *pservice;
 	uint16_t dst_role, src_role, response;
+	uint8_t *pservice;
+	GIOError gerr;
+	gsize n;
 
 	if (cond & G_IO_NVAL)
 		return FALSE;
@@ -437,30 +437,28 @@ static gboolean connect_setup_event(GIOChannel *chan,
 		return FALSE;
 	}
 
+	memset(pkt, 0, sizeof(pkt));
+	n = 0;
 	gerr = g_io_channel_read(chan, (gchar *)pkt, sizeof(pkt) - 1, &n);
 	if (gerr != G_IO_ERROR_NONE)
 		return FALSE;
 
-	if (n < sizeof(*req)) {
-		error("Invalid BNEP packet size");
-		return FALSE;
-	}
-
-	req = (void *)pkt;
-	if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) {
-		error("Invalid BNEP control packet content");
-		return FALSE;
-	}
-
+	req = (struct bnep_setup_conn_req *) pkt;
 	/* 
 	 * FIXME: According to BNEP SPEC the UUID size can be
 	 * 2-16 bytes. Currently only 2 bytes size is supported
 	 */
-	if (req->uuid_size != 2) {
+	if (req->uuid_size != 2 || n != (sizeof(*req) + req->uuid_size * 2)) {
+		error("Invalid BNEP packet size");
 		response = BNEP_CONN_INVALID_SVC; 
 		goto reply;
 	}
 
+	if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) {
+		error("Invalid BNEP control packet content");
+		return FALSE;
+	}
+
 	pservice = req->service;
 	/* Getting destination service: considering 2 bytes size */
 	dst_role = ntohs(bt_get_unaligned((uint16_t *) pservice));
-- 
cgit