amp_assoc_dump() didn't check the length of amp assoc struct of
Type-Length-Value (TLV) triplets, and the Connected Chan List
(number of triplets) is also need to check, or there are wrong
length for the number of triplets.
Signed-off-by: Cho, Yu-Chen <acho@xxxxxxxx>
---
tools/parser/amp.c | 69 +++++++++++++++++++++++++---------------------
1 file changed, 38 insertions(+), 31 deletions(-)
diff --git a/tools/parser/amp.c b/tools/parser/amp.c
index 158ca4a75..420099c90 100644
--- a/tools/parser/amp.c
+++ b/tools/parser/amp.c
@@ -33,7 +33,7 @@ static void amp_dump_chanlist(int level, struct amp_tlv *tlv, char *prefix)
struct amp_country_triplet *triplet;
int i, num;
- num = (tlv->len - sizeof(*chan_list)) / sizeof(*triplet);
+ num = sizeof(*chan_list->triplets) / sizeof(*chan_list->triplets[0]);
printf("%s (number of triplets %d)\n", prefix, num);
@@ -80,47 +80,54 @@ void amp_assoc_dump(int level, uint8_t *assoc, uint16_t len)
p_indent(level+1, 0);
- switch (tlv->type) {
- case A2MP_MAC_ADDR_TYPE:
- if (tlvlen != 6)
- break;
- printf("MAC: %2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X\n",
+ if (tlvlen != 0) {
+ switch (tlv->type) {
+ case A2MP_MAC_ADDR_TYPE:
+ if (tlvlen != 6)
+ break;
+ printf("MAC: ");
+ printf("%2.2X:%2.2X:%2.2X:%2.2X:%2.2X:%2.2X\n",
tlv->val[0], tlv->val[1], tlv->val[2],
tlv->val[3], tlv->val[4], tlv->val[5]);
- break;
-
- case A2MP_PREF_CHANLIST_TYPE:
- amp_dump_chanlist(level, tlv, "Preferred Chan List");
- break;
+ break;
- case A2MP_CONNECTED_CHAN:
- amp_dump_chanlist(level, tlv, "Connected Chan List");
- break;
+ case A2MP_PREF_CHANLIST_TYPE:
+ amp_dump_chanlist(level, tlv,
+ "Preferred Chan List");
+ break;
- case A2MP_PAL_CAP_TYPE:
- if (tlvlen != 4)
+ case A2MP_CONNECTED_CHAN:
+ amp_dump_chanlist(level, tlv,
+ "Connected Chan List");
break;
- printf("PAL CAP: %2.2x %2.2x %2.2x %2.2x\n",
+
+ case A2MP_PAL_CAP_TYPE:
+ if (tlvlen != 4)
+ break;
+ printf("PAL CAP: %2.2x %2.2x %2.2x %2.2x\n",
tlv->val[0], tlv->val[1], tlv->val[2],
tlv->val[3]);
- break;
-
- case A2MP_PAL_VER_INFO:
- if (tlvlen != 5)
break;
- ver = (struct amp_pal_ver *) tlv->val;
- printf("PAL VER: %2.2x Comp ID: %4.4x SubVer: %4.4x\n",
+
+ case A2MP_PAL_VER_INFO:
+ if (tlvlen != 5)
+ break;
+ ver = (struct amp_pal_ver *) tlv->val;
+ printf("PAL VER: ");
+ printf("%2.2x Comp ID: %4.4x SubVer: %4.4x\n",
ver->ver, btohs(ver->company_id),
btohs(ver->sub_ver));
- break;
+ break;
- default:
- printf("Unrecognized type %d\n", tlv->type);
- break;
- }
+ default:
+ printf("Unrecognized type %d\n", tlv->type);
+ break;
+ }
- len -= tlvlen + sizeof(*tlv);
- assoc += tlvlen + sizeof(*tlv);
- tlv = (struct amp_tlv *) assoc;
+ len -= tlvlen + sizeof(*tlv);
+ assoc += tlvlen + sizeof(*tlv);
+ tlv = (struct amp_tlv *) assoc;
+ } else
+ break;
}
}
--
2.19.1
