This is an improved version of recently reverted commit 1796f00e8465.
Response size is verified against minimal allowed value only if it is
complete response. If response is partial it is allowed by spec that
it will be split in arbitrary manner.
Verified against Nokia BH217 on which original commit caused
regression.
---
lib/sdp.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/sdp.c b/lib/sdp.c
index d8bfc51..54a99b6 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4243,6 +4243,14 @@ int sdp_process(sdp_session_t *session)
rsp_count = bt_get_be16(pdata);
SDPDBG("Attrlist byte count : %d", rsp_count);
+ /* Valid range for rsp_count is 0x0002-0xFFFF */
+ if (t->rsp_concat_buf.data_size == 0 && rsp_count < 0x0002) {
+ t->err = EPROTO;
+ SDPERR("Protocol error: invalid AttrList size");
+ status = SDP_INVALID_PDU_SIZE;
+ goto end;
+ }
+
/*
* Number of bytes in the AttributeLists parameter(without
* continuation state) + AttributeListsByteCount field size.
--
1.8.3.1
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
