[PATCH] Bug in sdp_set_supp_features solved

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>From 567522ed4ac5912d967fef3017bf905591b5c24e Mon Sep 17 00:00:00 2001
From: Jose Antonio Santos Cadenas <santoscadenas@xxxxxxxxx>
Date: Wed, 28 Apr 2010 12:02:31 +0200
Subject: [PATCH] Bug in sdp_set_supp_features solved

When the data is a string or a sequence, it is not ok to dereference
data->val because it is already a pointer.
---
 lib/sdp.c |   33 +++++++++++++++++++++++++++++++--
 1 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/lib/sdp.c b/lib/sdp.c
index 5f1f2fc..f9a6541 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4709,6 +4709,7 @@ int sdp_set_supp_feat(sdp_record_t *rec, const sdp_list_t *sf)
 	for (p = sf, i = 0; p; p = p->next, i++) {
 		int plen, j;
 		void **dtds, **vals;
+		int *sizes;

 		plen = sdp_list_len(p->data);
 		dtds = malloc(plen * sizeof(void *));
@@ -4719,14 +4720,42 @@ int sdp_set_supp_feat(sdp_record_t *rec, const sdp_list_t *sf)
 			free(dtds);
 			goto fail;
 		}
+		sizes = malloc(plen * sizeof(int *));
+		if (!sizes) {
+			free(dtds);
+			free(vals);
+			goto fail;
+		}
 		for (r = p->data, j = 0; r; r = r->next, j++) {
 			sdp_data_t *data = (sdp_data_t*)r->data;
 			dtds[j] = &data->dtd;
-			vals[j] = &data->val;
+			switch (data->dtd) {
+			case SDP_URL_STR8:
+			case SDP_URL_STR16:
+			case SDP_TEXT_STR8:
+			case SDP_TEXT_STR16:
+				vals[j] = data->val.str;
+				sizes[j] = data->unitSize - sizeof(uint8_t);
+				break;
+			case SDP_ALT8:
+			case SDP_ALT16:
+			case SDP_ALT32:
+			case SDP_SEQ8:
+			case SDP_SEQ16:
+			case SDP_SEQ32:
+				vals[j] = data->val.dataseq;
+				sizes[j] = 0;
+				break;
+			default:
+				vals[j] = &data->val;
+				sizes[j] = 0;
+				break;
+			}
 		}
-		feat = sdp_seq_alloc(dtds, vals, plen);
+		feat = sdp_seq_alloc_with_length(dtds, vals, sizes, plen);
 		free(dtds);
 		free(vals);
+		free(sizes);
 		if (!feat)
 			goto fail;
 		seqDTDs[i] = &feat->dtd;
--
1.6.3.3

--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux