diff options
| -rw-r--r-- | src/sdp.c | 27 | 
1 files changed, 27 insertions, 0 deletions
| @@ -2643,6 +2643,13 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device,  	if (status < 0)  		goto end; +	if (rspsize < sizeof(sdp_pdu_hdr_t)) { +		SDPERR("Unexpected end of packet"); +		errno = EPROTO; +		status = -1; +		goto end; +	} +  	rsphdr = (sdp_pdu_hdr_t *) rsp;  	p = rsp + sizeof(sdp_pdu_hdr_t); @@ -2654,6 +2661,12 @@ int sdp_device_record_register_binary(sdp_session_t *session, bdaddr_t *device,  		errno = EPROTO;  		status = -1;  	} else { +		if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint32_t)) { +			SDPERR("Unexpected end of packet"); +			errno = EPROTO; +			status = -1; +			goto end; +		}  		if (handle)  			*handle  = ntohl(bt_get_unaligned((uint32_t *) p));  	} @@ -2749,6 +2762,13 @@ int sdp_device_record_unregister_binary(sdp_session_t *session, bdaddr_t *device  	if (status < 0)  		goto end; +	if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) { +		SDPERR("Unexpected end of packet"); +		errno = EPROTO; +		status = -1; +		goto end; +	} +  	rsphdr = (sdp_pdu_hdr_t *) rspbuf;  	p = rspbuf + sizeof(sdp_pdu_hdr_t);  	status = bt_get_unaligned((uint16_t *) p); @@ -2848,6 +2868,13 @@ int sdp_device_record_update(sdp_session_t *session, bdaddr_t *device, const sdp  	if (status < 0)  		goto end; +	if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) { +		SDPERR("Unexpected end of packet"); +		errno = EPROTO; +		status = -1; +		goto end; +	} +  	SDPDBG("Send req status : %d\n", status);  	rsphdr = (sdp_pdu_hdr_t *) rspbuf; | 
