From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
This adds checks for invalid player name length that could cause crashes
while reading invalid memory.
---
profiles/audio/avrcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index e059cff..e4f83b6 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2093,7 +2093,7 @@ static void avrcp_parse_media_player_item(struct avrcp *session,
avrcp_player_parse_features(player, &operands[8]);
namelen = bt_get_be16(&operands[26]);
- if (namelen != 0) {
+ if (namelen != 0 && namelen + 28 == len) {
if (namelen > sizeof(name) - 1)
namelen = sizeof(name) - 1;
memcpy(name, &operands[28], namelen);
--
1.8.1.4
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
