michaelh/zephyr
1
0
Fork 0
Code Releases Activity

Bluetooth: SDP: Validate SSA response PDU

Browse source 
Adds two extra checks against invalid length of attribute payload
frame.

Jira: ZEP-1112

Change-Id: I089442a5b9631471f9f394860681f1483e021c43
Signed-off-by: Arkadiusz Lichwa <arkadiusz.lichwa@tieto.com>
This commit is contained in:
Arkadiusz Lichwa 2016-12-30 18:50:43 +01:00 committed by Johan Hedberg
commit 3304cbc41b
1 changed files with 11 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

11
subsys/bluetooth/host/sdp.c
View file

@ -501,6 +501,12 @@ static void sdp_client_receive(struct bt_l2cap_chan *chan, struct net_buf *buf)
case BT_SDP_SVC_SEARCH_ATTR_RSP: case BT_SDP_SVC_SEARCH_ATTR_RSP:
/* Get number of attributes in this frame. */ /* Get number of attributes in this frame. */
frame_len = net_buf_pull_be16(buf); frame_len = net_buf_pull_be16(buf);
/* Check valid range of attributes length */
if (frame_len < 2) {
BT_ERR("Invalid attributes data length");
return;
}
/* Get PDU continuation state */ /* Get PDU continuation state */
cstate = (struct bt_sdp_pdu_cstate *)(buf->data + frame_len); cstate = (struct bt_sdp_pdu_cstate *)(buf->data + frame_len);
@ -510,6 +516,11 @@ static void sdp_client_receive(struct bt_l2cap_chan *chan, struct net_buf *buf)
return; return;
} }
if ((frame_len + cstate->length) > len) {
BT_ERR("Invalid frame payload length");
return;
}
/* No record found for given UUID */ /* No record found for given UUID */
if (frame_len == 2 && cstate->length == 0 && if (frame_len == 2 && cstate->length == 0 &&
session->cstate.length == 0) { session->cstate.length == 0) {