This email list is read-only. Emails sent to this list will be discarded
----------------------------------
client/session.c | 28 ++++++++++++++++------------
src/pbap.c | 30 +++++++++++++++++++-----------
2 files changed, 35 insertions(+), 23 deletions(-)
New commits:
commit eff689307d7a50d309cbf395a7351086494c3b24
Author: Marcel Holtmann <[EMAIL PROTECTED]>
Date: Fri Nov 28 08:15:23 2008 +0100
Add more apparam range checking
commit f76aa96653ea275f798cca4ae30cb58c56a00914
Author: Raymond Liu <[EMAIL PROTECTED]>
Date: Thu Nov 27 15:05:50 2008 +0800
Unregister service and session interfaces in session_unref
Diff in this email is a maximum of 400 lines.
diff --git a/client/session.c b/client/session.c
index 30231fd..b8ec987 100644
--- a/client/session.c
+++ b/client/session.c
@@ -105,20 +105,24 @@ static void session_unref(struct session_data *session)
close(session->sock);
if (session->conn) {
- if (session->transfer_path) {
- switch (session->uuid) {
- case OBEX_FILETRANS_SVCLASS_ID:
- g_dbus_unregister_interface(session->conn,
- session->transfer_path,
- TRANSFER_INTERFACE);
- break;
- case PBAP_PSE_SVCLASS_ID:
- pbap_unregister_interface(session->conn,
- session->transfer_path);
- break;
- }
+ if (session->transfer_path)
+ g_dbus_unregister_interface(session->conn,
+ session->transfer_path,
TRANSFER_INTERFACE);
+
+ switch (session->uuid) {
+ case OBEX_FILETRANS_SVCLASS_ID:
+ g_dbus_unregister_interface(session->conn,
+ session->path, FTP_INTERFACE);
+ break;
+ case PBAP_PSE_SVCLASS_ID:
+ pbap_unregister_interface(session->conn,
+ session->path);
+ break;
}
+ g_dbus_unregister_interface(session->conn,
+ session->path, SESSION_INTERFACE);
+
dbus_connection_unref(session->conn);
}
diff --git a/src/pbap.c b/src/pbap.c
index 05c48ec..cfdaf6e 100644
--- a/src/pbap.c
+++ b/src/pbap.c
@@ -61,6 +61,7 @@ struct apparam_hdr {
uint8_t len;
uint8_t val[0];
} __attribute__ ((packed));
+#define APPARAM_HDR_SIZE 2
#define get_be64(val) GUINT64_FROM_BE(bt_get_unaligned((guint64 *) val))
#define get_be16(val) GUINT16_FROM_BE(bt_get_unaligned((guint16 *) val))
@@ -71,28 +72,36 @@ static int pbap_pullphonebook(obex_t *obex, obex_object_t
*obj)
{
struct obex_session *session;
obex_headerdata_t hd;
- guint8 hi, *p, newmissedcalls, format;
+ guint8 hi, newmissedcalls, format;
guint16 maxlistcount, liststartoffset, phonebooksize;
- guint32 hlen, offset;
+ guint32 hlen;
guint64 filter;
- struct apparam_hdr *hdr;
session = OBEX_GetUserData(obex);
while (OBEX_ObjectGetNextHeader(obex, obj, &hi, &hd, &hlen)) {
+ void *ptr = (void *) hd.bs;
+ uint32_t len = hlen;
+
if (hi != OBEX_HDR_APPARAM)
continue;
- if (hlen <= sizeof(struct apparam_hdr)) {
+ if (hlen < APPARAM_HDR_SIZE) {
error("PBAP pullphonebook app parameters header"
" is too short: %d", hlen);
return -1;
}
- p = (guint8 *) hd.bs;
- hdr = (struct apparam_hdr *) hd.bs;
- offset = 0;
- while (offset < hlen) {
+ while (len > APPARAM_HDR_SIZE) {
+ struct apparam_hdr *hdr = ptr;
+
+ if (hdr->len > len - APPARAM_HDR_SIZE) {
+ error("Unexpected PBAP pullphonebook app"
+ " length, tag %d, len %d",
+ hdr->tag, hdr->len);
+ return -1;
+ }
+
switch (hdr->tag) {
case FILTER_TAG:
if (hdr->len == FILTER_LEN)
@@ -117,9 +126,8 @@ static int pbap_pullphonebook(obex_t *obex, obex_object_t
*obj)
return -1;
}
- p += sizeof(struct apparam_hdr) + hdr->len;
- offset += sizeof(struct apparam_hdr) + hdr->len;
- hdr = (struct apparam_hdr *) p;
+ ptr += APPARAM_HDR_SIZE + hdr->len;
+ len -= APPARAM_HDR_SIZE + hdr->len;
}
/* Ignore multiple app param headers */
_______________________________________________
Commits mailing list
[email protected]
https://lists.moblin.org/mailman/listinfo/commits
