rsp_count is either read or calculated from untrusted input, and
therefore needs to be checked before being used as offset. The "plen"
variable is appropriate because it is calculated as the sum of fixed and
variable length fields, excluding the continuation state field, which
has at least 1 byte for its own length field.
---
lib/sdp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/lib/sdp.c b/lib/sdp.c
index b87f392..f3a0c17 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4189,6 +4189,17 @@ int sdp_process(sdp_session_t *session)
goto end;
}
+ /*
+ * Out of bound check before using rsp_count as offset for continuation
+ * state, which has at least a one byte size field.
+ */
+ if ((n - (int) sizeof(sdp_pdu_hdr_t)) < plen + 1) {
+ t->err = EPROTO;
+ SDPERR("Protocol error: invalid PDU size");
+ status = SDP_INVALID_PDU_SIZE;
+ goto end;
+ }
+
pcstate = (sdp_cstate_t *) (pdata + rsp_count);
SDPDBG("Cstate length : %d\n", pcstate->length);
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
