On Wednesday 26 June 2013 22:26:35 Szymon Janc wrote:
> This is an improved version of recently reverted commit 1796f00e8465.
> Response size is verified against minimal allowed value only if it is
> complete response. If response is partial it is allowed by spec that
> it will be split in arbitrary manner.
>
> Verified against Nokia BH217 on which original commit caused
> regression.
> ---
> lib/sdp.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/lib/sdp.c b/lib/sdp.c
> index d8bfc51..54a99b6 100644
> --- a/lib/sdp.c
> +++ b/lib/sdp.c
> @@ -4243,6 +4243,14 @@ int sdp_process(sdp_session_t *session)
> rsp_count = bt_get_be16(pdata);
> SDPDBG("Attrlist byte count : %d", rsp_count);
>
> + /* Valid range for rsp_count is 0x0002-0xFFFF */
> + if (t->rsp_concat_buf.data_size == 0 && rsp_count < 0x0002) {
> + t->err = EPROTO;
> + SDPERR("Protocol error: invalid AttrList size");
> + status = SDP_INVALID_PDU_SIZE;
> + goto end;
> + }
> +
> /*
> * Number of bytes in the AttributeLists parameter(without
> * continuation state) + AttributeListsByteCount field size.
ping
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
