If number of attributes remote side provided is larger than the length
we read, we would read garbage from stack memory.
---
audio/avrcp.c | 8 ++++++--
1 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/audio/avrcp.c b/audio/avrcp.c
index 0ca91a5..8b46650 100644
--- a/audio/avrcp.c
+++ b/audio/avrcp.c
@@ -597,12 +597,16 @@ static uint8_t avrcp_handle_get_element_attributes(struct avrcp_player *player,
int size;
unsigned int i;
- if (len < 8 || *identifier != 0)
+ if (len < 9 || *identifier != 0)
+ goto err;
+
+ nattr = pdu->params[8];
+
+ if (len < nattr * sizeof(uint32_t) + 1)
goto err;
len = 0;
pos = 1; /* Keep track of current position in reponse */
- nattr = pdu->params[8];
if (!nattr) {
/*
--
1.7.7
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
