From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
We expect dict entries to have a{sv} format but the code don't check if
the entries really encode the variant which may lead to a crash in
dbus_message_iter_recurse.
---
src/advertising.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/advertising.c b/src/advertising.c
index ef84e45..e7840bf 100644
--- a/src/advertising.c
+++ b/src/advertising.c
@@ -298,6 +298,10 @@ static bool parse_advertising_manufacturer_data(GDBusProxy *proxy,
dbus_message_iter_get_basic(&entry, &manuf_id);
dbus_message_iter_next(&entry);
+
+ if (dbus_message_iter_get_arg_type(&entry) != DBUS_TYPE_VARIANT)
+ goto fail;
+
dbus_message_iter_recurse(&entry, &value);
if (dbus_message_iter_get_arg_type(&value) != DBUS_TYPE_ARRAY)
@@ -356,6 +360,10 @@ static bool parse_advertising_service_data(GDBusProxy *proxy,
goto fail;
dbus_message_iter_next(&entry);
+
+ if (dbus_message_iter_get_arg_type(&entry) != DBUS_TYPE_VARIANT)
+ goto fail;
+
dbus_message_iter_recurse(&entry, &value);
if (dbus_message_iter_get_arg_type(&value) != DBUS_TYPE_ARRAY)
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
