On Thu, Jan 30, 2014 at 06:12:56PM +0200, Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>
>
> Wrong length was given and it was also possible to crash.
ping
> ---
> profiles/audio/avrcp.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 128f7d3..f9fce5c 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -1899,8 +1899,12 @@ static void avrcp_get_current_player_value(struct avrcp *session,
> {
> uint8_t buf[AVRCP_HEADER_LENGTH + 5];
> struct avrcp_header *pdu = (void *) buf;
> + uint16_t length = AVRCP_HEADER_LENGTH + count + 1;
> int i;
>
> + if (count + 1 > 5)
> + return;
> +
> memset(buf, 0, sizeof(buf));
>
> set_company_id(pdu->company_id, IEEEID_BTSIG);
> @@ -1913,7 +1917,7 @@ static void avrcp_get_current_player_value(struct avrcp *session,
> pdu->params[i + 1] = attrs[i];
>
> avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
> - AVC_SUBUNIT_PANEL, buf, sizeof(buf),
> + AVC_SUBUNIT_PANEL, buf, length,
> avrcp_player_value_rsp, session);
> }
>
> --
> 1.8.3.2
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
