Hi Johan,
> Hi Inga,
>
> On Thu, Aug 05, 2010, Inga Stotland wrote:
>> + while (len < EIR_DATA_LENGTH - 1) {
>> + uint8_t type = eir_data[1];
>> + uint8_t field_len = eir_data[0];
>> +
>> + /* Check for the end of EIR */
>> + if (field_len == 0)
>> + break;
>
> Shouldn't there also be another check here:
>
> /* Bail out if field_len claims to reach beyond the EIR
> * data end */
> if (len + field_len + 1 >= EIR_DATA_LENGTH)
> break;
>
After reading in eir_data[0] & eir_data[1] (and those reads are valid due
to passing the "while (len < EIR_DATA_LENGTH - 1)" check above) there are
no more memory accesses in the loop. And if we do end up reading in field
length that's bogus, we fail the "while" check on next iteration, exit the
loop, fail the "(len > EIR_DATA_LENGTH)" and bail out of the routine with
NULL return value.
Actually, I originally had the check for field length inside the loop, but
then moved it outside for efficiency reasons.
Thanks,
Inga
--
Sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.
>
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
