Before manipulating data from previous partial responses, make sure the
buffer has enough data.
---
lib/sdp.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/lib/sdp.c b/lib/sdp.c
index e212c29..3855381 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4144,7 +4144,7 @@ int sdp_process(sdp_session_t *session)
if (t->rsp_concat_buf.data_size == 0) {
/* first fragment */
rsp_count = sizeof(tsrc) + sizeof(csrc) + csrc * 4;
- } else {
+ } else if (t->rsp_concat_buf.data_size >= sizeof(uint16_t) * 2) {
/* point to the first csrc */
uint8_t *pcsrc = t->rsp_concat_buf.data + 2;
uint16_t tcsrc, tcsrc2;
@@ -4161,6 +4161,11 @@ int sdp_process(sdp_session_t *session)
pdata += sizeof(uint16_t); /* point to the first handle */
rsp_count = csrc * 4;
+ } else {
+ t->err = EPROTO;
+ SDPERR("Protocol error: invalid PDU size");
+ status = SDP_INVALID_PDU_SIZE;
+ goto end;
}
status = 0x0000;
break;
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
