diff options
author | emax <emax@FreeBSD.org> | 2015-10-20 18:01:08 +0000 |
---|---|---|
committer | emax <emax@FreeBSD.org> | 2015-10-20 18:01:08 +0000 |
commit | fe905e72e67047b47fea2c5f8c3206b02e427be5 (patch) | |
tree | 0e85814e039ede37a05d4423e941b5ca29b3f7d2 /usr.sbin/bluetooth/sdpcontrol | |
parent | 6db15b38fe517e18653d6be9f104fdd82b7bd5d6 (diff) | |
download | FreeBSD-src-fe905e72e67047b47fea2c5f8c3206b02e427be5.zip FreeBSD-src-fe905e72e67047b47fea2c5f8c3206b02e427be5.tar.gz |
check boundaries while parsing SDP responses
Reported by: hps
Reviewed by: hps
MFC after: 1 week
Diffstat (limited to 'usr.sbin/bluetooth/sdpcontrol')
-rw-r--r-- | usr.sbin/bluetooth/sdpcontrol/search.c | 52 |
1 files changed, 43 insertions, 9 deletions
diff --git a/usr.sbin/bluetooth/sdpcontrol/search.c b/usr.sbin/bluetooth/sdpcontrol/search.c index acc8c16..6a2808c 100644 --- a/usr.sbin/bluetooth/sdpcontrol/search.c +++ b/usr.sbin/bluetooth/sdpcontrol/search.c @@ -103,6 +103,12 @@ print_service_class_id_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Service Class ID List. " \ + "Too long len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -259,28 +265,31 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_STR8: case SDP_DATA_URL8: SDP_GET8(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_STR16: case SDP_DATA_URL16: SDP_GET16(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_STR32: case SDP_DATA_URL32: SDP_GET32(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_SEQ8: case SDP_DATA_ALT8: SDP_GET8(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -288,7 +297,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_SEQ16: case SDP_DATA_ALT16: SDP_GET16(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -296,7 +305,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_SEQ32: case SDP_DATA_ALT32: SDP_GET32(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -342,6 +351,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Protocol Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -364,6 +379,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Protocol Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + print_protocol_descriptor(start, start + len); start += len; } @@ -416,6 +437,12 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -439,6 +466,13 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Bluetooth Profile " \ + "Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + /* Get UUID */ SDP_GET8(type, start); switch (type) { |