Hi Vinicius, On Thu, Oct 13, 2011, Vinicius Costa Gomes wrote: > + while (len < HCI_MAX_EIR_LENGTH - 1) { > + uint8_t field_len = eir_data[0]; > + > + /* Check for the end of EIR */ > + if (field_len == 0) > + break; I suppose there should also be a check for: if (len + field_len > HCI_MAX_EIR_LENGTH) goto failed; Otherwise you're gonna access past the end of the eir_data buffer when you do the memcpy later. > + > + switch (eir_data[1]) { > + case EIR_NAME_SHORT: > + case EIR_NAME_COMPLETE: > + if (field_len > HCI_MAX_NAME_LENGTH) > + goto failed; If you add the if-statement I suggested earlier you can remove this one (since it becomes redundant). > + > + memcpy(name, &eir_data[2], field_len - 1); > + return; > + } > + > + len += field_len + 1; > + eir_data += field_len + 1; > + } > + > +failed: > + sprintf(name, "(unknown)"); > + return; > +} Please remove the unnecessary return statement here. Johan -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html