d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFC r289637

Browse Source 
check boundaries while parsing SDP responses

Reported by:	hps
Reviewed by:	hps
This commit is contained in:
emax 2015-11-05 16:08:38 +00:00
parent 6244443504
commit 94580a0106
1 changed files with 43 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
usr.sbin/bluetooth/sdpcontrol/search.c
View File

@ -102,6 +102,12 @@ print_service_class_id_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Service Class ID List. " \
"Too long len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -258,28 +264,31 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_STR8:
case SDP_DATA_URL8:
SDP_GET8(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_STR16:
case SDP_DATA_URL16:
SDP_GET16(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_STR32:
case SDP_DATA_URL32:
SDP_GET32(len, start);
fprintf(stdout, "%*.*s\n", len, len, (char *) start);
start += len;
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%c", *start);
fprintf(stdout, "\n");
break;
case SDP_DATA_SEQ8:
case SDP_DATA_ALT8:
SDP_GET8(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -287,7 +296,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_SEQ16:
case SDP_DATA_ALT16:
SDP_GET16(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -295,7 +304,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
case SDP_DATA_SEQ32:
case SDP_DATA_ALT32:
SDP_GET32(len, start);
for (; len > 0; start ++, len --)
for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@ -341,6 +350,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Protocol Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -363,6 +378,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Protocol Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
print_protocol_descriptor(start, start + len);
start += len;
}
@ -415,6 +436,12 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@ -438,6 +465,13 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
/* NOT REACHED */
}
if (len > (end - start)) {
fprintf(stderr, "Invalid Bluetooth Profile " \
"Descriptor List. " \
"Too long, len=%d\n", len);
return;
}
/* Get UUID */
SDP_GET8(type, start);
switch (type) {