d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Check that the length of the received message is at least as big as a PDU

Browse Source 
before we use pdu->len.

Submitted by:	Iain Hibbert
MFC after:	3 days
This commit is contained in:
emax 2007-02-23 19:37:47 +00:00
parent 7e923baf39
commit 33ad295701
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
usr.sbin/bluetooth/sdpd/server.c
View File

@ -432,7 +432,8 @@ server_process_request(server_p srv, int32_t fd)
return (-1);
}
if (sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
if (len >= sizeof(*pdu) &&
sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
switch (pdu->pid) {
case SDP_PDU_SERVICE_SEARCH_REQUEST:
error = server_prepare_service_search_response(srv, fd);