svn commit: r290395 - stable/10/usr.sbin/bluetooth/sdpcontrol
Maksim Yevmenkin
emax at FreeBSD.org
Thu Nov 5 16:08:39 UTC 2015
Author: emax
Date: Thu Nov 5 16:08:38 2015
New Revision: 290395
URL: https://svnweb.freebsd.org/changeset/base/290395
Log:
MFC r289637
check boundaries while parsing SDP responses
Reported by: hps
Reviewed by: hps
Modified:
stable/10/usr.sbin/bluetooth/sdpcontrol/search.c
Directory Properties:
stable/10/ (props changed)
Modified: stable/10/usr.sbin/bluetooth/sdpcontrol/search.c
==============================================================================
--- stable/10/usr.sbin/bluetooth/sdpcontrol/search.c Thu Nov 5 14:55:58 2015 (r290394)
+++ stable/10/usr.sbin/bluetooth/sdpcontrol/search.c Thu Nov 5 16:08:38 2015 (r290395)
@@ -102,6 +102,12 @@ print_service_class_id_list(uint8_t cons
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Service Class ID List. " \
+ "Too long len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -258,28 +264,31 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_STR8:
case SDP_DATA_URL8:
SDP_GET8(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_STR16:
case SDP_DATA_URL16:
SDP_GET16(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_STR32:
case SDP_DATA_URL32:
SDP_GET32(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_SEQ8:
case SDP_DATA_ALT8:
SDP_GET8(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -287,7 +296,7 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_SEQ16:
case SDP_DATA_ALT16:
SDP_GET16(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -295,7 +304,7 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_SEQ32:
case SDP_DATA_ALT32:
SDP_GET32(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -341,6 +350,12 @@ print_protocol_descriptor_list(uint8_t c
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Protocol Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -363,6 +378,12 @@ print_protocol_descriptor_list(uint8_t c
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Protocol Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
print_protocol_descriptor(start, start + len);
start += len;
}
@@ -415,6 +436,12 @@ print_bluetooth_profile_descriptor_list(
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -438,6 +465,13 @@ print_bluetooth_profile_descriptor_list(
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Bluetooth Profile " \
+ "Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
/* Get UUID */
SDP_GET8(type, start);
switch (type) {
More information about the svn-src-stable-10
mailing list