According to SDP spec, the byte count fields for these PDUs have a valid
range of 0x0002-0xFFFF.
---
lib/sdp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/sdp.c b/lib/sdp.c
index f3a0c17..e212c29 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4169,6 +4169,14 @@ int sdp_process(sdp_session_t *session)
rsp_count = bt_get_be16(pdata);
SDPDBG("Attrlist byte count : %d\n", rsp_count);
+ /* Valid range for rsp_count is 0x0002-0xFFFF */
+ if (rsp_count < 0x0002) {
+ t->err = EPROTO;
+ SDPERR("Protocol error: invalid AttrList size");
+ status = SDP_INVALID_PDU_SIZE;
+ goto end;
+ }
+
/*
* Number of bytes in the AttributeLists parameter(without
* continuation state) + AttributeListsByteCount field size.
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
