Author: emax
Date: Tue Oct 20 18:01:08 2015
New Revision: 289637
URL: https://svnweb.freebsd.org/changeset/base/289637
Log:
check boundaries while parsing SDP responses
Reported by: hps
Reviewed by: hps
MFC after: 1 week
Modified:
head/usr.sbin/bluetooth/sdpcontrol/search.c
Modified: head/usr.sbin/bluetooth/sdpcontrol/search.c
==============================================================================
--- head/usr.sbin/bluetooth/sdpcontrol/search.c Tue Oct 20 17:58:21 2015
(r289636)
+++ head/usr.sbin/bluetooth/sdpcontrol/search.c Tue Oct 20 18:01:08 2015
(r289637)
@@ -103,6 +103,12 @@ print_service_class_id_list(uint8_t cons
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Service Class ID List. " \
+ "Too long len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -259,28 +265,31 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_STR8:
case SDP_DATA_URL8:
SDP_GET8(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_STR16:
case SDP_DATA_URL16:
SDP_GET16(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_STR32:
case SDP_DATA_URL32:
SDP_GET32(len, start);
- fprintf(stdout, "%*.*s\n", len, len, (char *) start);
- start += len;
+ for (; start < end && len > 0; start ++, len --)
+ fprintf(stdout, "%c", *start);
+ fprintf(stdout, "\n");
break;
case SDP_DATA_SEQ8:
case SDP_DATA_ALT8:
SDP_GET8(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -288,7 +297,7 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_SEQ16:
case SDP_DATA_ALT16:
SDP_GET16(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -296,7 +305,7 @@ print_protocol_descriptor(uint8_t const
case SDP_DATA_SEQ32:
case SDP_DATA_ALT32:
SDP_GET32(len, start);
- for (; len > 0; start ++, len --)
+ for (; start < end && len > 0; start ++, len --)
fprintf(stdout, "%#2.2x ", *start);
fprintf(stdout, "\n");
break;
@@ -342,6 +351,12 @@ print_protocol_descriptor_list(uint8_t c
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Protocol Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -364,6 +379,12 @@ print_protocol_descriptor_list(uint8_t c
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Protocol Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
print_protocol_descriptor(start, start + len);
start += len;
}
@@ -416,6 +437,12 @@ print_bluetooth_profile_descriptor_list(
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
while (start < end) {
SDP_GET8(type, start);
switch (type) {
@@ -439,6 +466,13 @@ print_bluetooth_profile_descriptor_list(
/* NOT REACHED */
}
+ if (len > (end - start)) {
+ fprintf(stderr, "Invalid Bluetooth Profile " \
+ "Descriptor List. " \
+ "Too long, len=%d\n", len);
+ return;
+ }
+
/* Get UUID */
SDP_GET8(type, start);
switch (type) {
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
