Hi Vinicius,
On Thu, Oct 13, 2011, Vinicius Costa Gomes wrote:
> + while (len < HCI_MAX_EIR_LENGTH - 1) {
> + uint8_t field_len = eir_data[0];
> +
> + /* Check for the end of EIR */
> + if (field_len == 0)
> + break;
I suppose there should also be a check for:
if (len + field_len > HCI_MAX_EIR_LENGTH)
goto failed;
Otherwise you're gonna access past the end of the eir_data buffer when
you do the memcpy later.
> +
> + switch (eir_data[1]) {
> + case EIR_NAME_SHORT:
> + case EIR_NAME_COMPLETE:
> + if (field_len > HCI_MAX_NAME_LENGTH)
> + goto failed;
If you add the if-statement I suggested earlier you can remove this one
(since it becomes redundant).
> +
> + memcpy(name, &eir_data[2], field_len - 1);
> + return;
> + }
> +
> + len += field_len + 1;
> + eir_data += field_len + 1;
> + }
> +
> +failed:
> + sprintf(name, "(unknown)");
> + return;
> +}
Please remove the unnecessary return statement here.
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
