This patch adds invalid offset handlers to write callbacks of attributes.
---
client/gatt.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/client/gatt.c b/client/gatt.c
index 416eda953..5713f8343 100644
--- a/client/gatt.c
+++ b/client/gatt.c
@@ -2141,6 +2141,12 @@ static void authorize_write_response(const char *input, void *user_data)
goto error;
}
+ if (aad->offset > chrc->value_len) {
+ err = "org.bluez.Error.InvalidOffset";
+
+ goto error;
+ }
+
/* Authorization check of prepare writes */
if (prep_authorize) {
reply = g_dbus_create_reply(pending_message, DBUS_TYPE_INVALID);
@@ -2272,6 +2278,11 @@ static DBusMessage *chrc_write_value(DBusConnection *conn, DBusMessage *msg,
return NULL;
}
+ if (offset > chrc->value_len)
+ return g_dbus_create_error(msg,
+ "org.bluez.Error.InvalidOffset", NULL);
+
+
/* Authorization check of prepare writes */
if (prep_authorize)
return g_dbus_create_reply(msg, DBUS_TYPE_INVALID);
@@ -2683,6 +2694,10 @@ static DBusMessage *desc_write_value(DBusConnection *conn, DBusMessage *msg,
return g_dbus_create_error(msg,
"org.bluez.Error.InvalidArguments", NULL);
+ if (offset > desc->value_len)
+ return g_dbus_create_error(msg,
+ "org.bluez.Error.InvalidOffset", NULL);
+
if (write_value(&desc->value_len, &desc->value, value,
value_len, offset, desc->max_val_len))
return g_dbus_create_error(msg,
--
2.25.4
