From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Check if capabilities are valid before attempting to copy them.
---
profiles/audio/avdtp.c | 56 +++++++++++++++++++++++++++---------------
1 file changed, 36 insertions(+), 20 deletions(-)
diff --git a/profiles/audio/avdtp.c b/profiles/audio/avdtp.c
index 623fe30d3..c7bf99f42 100644
--- a/profiles/audio/avdtp.c
+++ b/profiles/audio/avdtp.c
@@ -1305,43 +1305,53 @@ struct avdtp_remote_sep *avdtp_find_remote_sep(struct avdtp *session,
return NULL;
}
-static GSList *caps_to_list(uint8_t *data, int size,
+static GSList *caps_to_list(uint8_t *data, size_t size,
struct avdtp_service_capability **codec,
gboolean *delay_reporting)
{
+ struct avdtp_service_capability *cap;
GSList *caps;
- int processed;
if (delay_reporting)
*delay_reporting = FALSE;
- for (processed = 0, caps = NULL; processed + 2 <= size;) {
- struct avdtp_service_capability *cap;
- uint8_t length, category;
+ if (size < sizeof(*cap))
+ return NULL;
+
+ for (caps = NULL; size >= sizeof(*cap);) {
+ struct avdtp_service_capability *cpy;
- category = data[0];
- length = data[1];
+ cap = (struct avdtp_service_capability *)data;
- if (processed + 2 + length > size) {
+ if (sizeof(*cap) + cap->length >= size) {
error("Invalid capability data in getcap resp");
break;
}
- cap = g_malloc(sizeof(struct avdtp_service_capability) +
- length);
- memcpy(cap, data, 2 + length);
+ if (cap->category == AVDTP_MEDIA_CODEC &&
+ cap->length < sizeof(**codec)) {
+ error("Invalid codec data in getcap resp");
+ break;
+ }
+
+ cpy = btd_malloc(sizeof(*cpy) + cap->length);
+ memcpy(cpy, cap, sizeof(*cap) + cap->length);
- processed += 2 + length;
- data += 2 + length;
+ size -= sizeof(*cap) + cap->length;
+ data += sizeof(*cap) + cap->length;
- caps = g_slist_append(caps, cap);
+ caps = g_slist_append(caps, cpy);
- if (category == AVDTP_MEDIA_CODEC &&
- length >=
- sizeof(struct avdtp_media_codec_capability))
- *codec = cap;
- else if (category == AVDTP_DELAY_REPORTING && delay_reporting)
- *delay_reporting = TRUE;
+ switch (cap->category) {
+ case AVDTP_MEDIA_CODEC:
+ if (codec)
+ *codec = cap;
+ break;
+ case AVDTP_DELAY_REPORTING:
+ if (delay_reporting)
+ *delay_reporting = TRUE;
+ break;
+ }
}
return caps;
@@ -1538,6 +1548,12 @@ static gboolean avdtp_setconf_cmd(struct avdtp *session, uint8_t transaction,
&stream->codec,
&stream->delay_reporting);
+ if (!stream->caps || !stream->codec) {
+ err = AVDTP_UNSUPPORTED_CONFIGURATION;
+ category = 0x00;
+ goto failed_stream;
+ }
+
/* Verify that the Media Transport capability's length = 0. Reject otherwise */
for (l = stream->caps; l != NULL; l = g_slist_next(l)) {
struct avdtp_service_capability *cap = l->data;
--
2.30.2
