Re: [PATCH 3/3] avrcp: Fix possible buffer overflow and correct length

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jan 30, 2014 at 06:12:56PM +0200, Andrei Emeltchenko wrote:
> From: Andrei Emeltchenko <andrei.emeltchenko@xxxxxxxxx>
> 
> Wrong length was given and it was also possible to crash.

ping

> ---
>  profiles/audio/avrcp.c | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
> index 128f7d3..f9fce5c 100644
> --- a/profiles/audio/avrcp.c
> +++ b/profiles/audio/avrcp.c
> @@ -1899,8 +1899,12 @@ static void avrcp_get_current_player_value(struct avrcp *session,
>  {
>  	uint8_t buf[AVRCP_HEADER_LENGTH + 5];
>  	struct avrcp_header *pdu = (void *) buf;
> +	uint16_t length = AVRCP_HEADER_LENGTH + count + 1;
>  	int i;
>  
> +	if (count + 1 > 5)
> +		return;
> +
>  	memset(buf, 0, sizeof(buf));
>  
>  	set_company_id(pdu->company_id, IEEEID_BTSIG);
> @@ -1913,7 +1917,7 @@ static void avrcp_get_current_player_value(struct avrcp *session,
>  		pdu->params[i + 1] = attrs[i];
>  
>  	avctp_send_vendordep_req(session->conn, AVC_CTYPE_STATUS,
> -					AVC_SUBUNIT_PANEL, buf, sizeof(buf),
> +					AVC_SUBUNIT_PANEL, buf, length,
>  					avrcp_player_value_rsp, session);
>  }
>  
> -- 
> 1.8.3.2
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux