d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

check boundaries while parsing SDP responses

Browse Source 
Reported by:	hps
Reviewed by:	hps
MFC after:	1 week
This commit is contained in:
Maksim Yevmenkin 2015-10-20 18:01:08 +00:00
parent c814b86843
commit f32d9c4bd3
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=289637
1 changed files with 43 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
usr.sbin/bluetooth/sdpcontrol/search.c
View File

@ -103,6 +103,12 @@ print_service_class_id_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Service Class ID List. " \
"Too long len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -259,28 +265,31 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_STR8:
case SDP_DATA_URL8:
SDP_GET8(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_STR16:
case SDP_DATA_URL16:
SDP_GET16(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_STR32:
case SDP_DATA_URL32:
SDP_GET32(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_SEQ8:
case SDP_DATA_ALT8:
SDP_GET8(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -288,7 +297,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_SEQ16:
case SDP_DATA_ALT16:
SDP_GET16(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -296,7 +305,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_SEQ32:
case SDP_DATA_ALT32:
SDP_GET32(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -342,6 +351,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Protocol Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -364,6 +379,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Protocol Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
print_protocol_descriptor(start, start + len);
start += len;
}
@ -416,6 +437,12 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -439,6 +466,13 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Bluetooth Profile " \
"Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
/* Get UUID */
SDP_GET8(type, start);
switch (type) {