korg/bluez
0
0
Fork 0
mirror of https://git.kernel.org/pub/scm/bluetooth/bluez.git synced 2024-12-02 08:34:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

attrib: Add extra PDU checks when decoding Read by Group Type Response

Browse Source 
These checks are needed to avoid invalid memory access on bogus PDUs.
This commit is contained in:
Anderson Lizardo 2014-01-11 00:47:22 -04:00 committed by Johan Hedberg
parent a5e6aafdf7
commit ef97296c20
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
attrib/att.c
View File

@ -211,7 +211,25 @@ struct att_data_list *dec_read_by_grp_resp(const uint8_t *pdu, size_t len)
if (pdu[0] != ATT_OP_READ_BY_GROUP_RESP)
return NULL;
/* PDU must contain at least:
* - Attribute Opcode (1 octet)
* - Length (1 octet)
* - Attribute Data List (at least one entry):
* - Attribute Handle (2 octets)
* - End Group Handle (2 octets)
* - Attribute Value (at least 1 octet) */
if (len < 7)
return NULL;
elen = pdu[1];
/* Minimum Attribute Data List size */
if (elen < 5)
return NULL;
/* Reject incomplete Attribute Data List */
if ((len - 2) % elen)
return NULL;
num = (len - 2) / elen;
list = att_data_list_alloc(num, elen);
if (list == NULL)