check boundaries while parsing SDP responses

Reported by:	hps
Reviewed by:	hps
MFC after:	1 week

1 files changed, 43 insertions, 9 deletions

diff --git a/usr.sbin/bluetooth/sdpcontrol/search.c b/usr.sbin/bluetooth/sdpcontrol/search.c
index acc8c16..6a2808c 100644
--- a/usr.sbin/bluetooth/sdpcontrol/search.c
+++ b/usr.sbin/bluetooth/sdpcontrol/search.c
@@ -103,6 +103,12 @@ print_service_class_id_list(uint8_t const *start, uint8_t const *end)
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Service Class ID List. " \
+				"Too long len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -259,28 +265,31 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
 		case SDP_DATA_STR8:
 		case SDP_DATA_URL8:
 			SDP_GET8(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_STR16:
 		case SDP_DATA_URL16:
 			SDP_GET16(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_STR32:
 		case SDP_DATA_URL32:
 			SDP_GET32(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_SEQ8:
 		case SDP_DATA_ALT8:
 			SDP_GET8(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -288,7 +297,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
 		case SDP_DATA_SEQ16:
 		case SDP_DATA_ALT16:
 			SDP_GET16(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -296,7 +305,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end)
 		case SDP_DATA_SEQ32:
 		case SDP_DATA_ALT32:
 			SDP_GET32(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -342,6 +351,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Protocol Descriptor List. " \
+				"Too long, len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -364,6 +379,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end)
 			/* NOT REACHED */
 		}
 
+		if (len > (end - start)) {
+			fprintf(stderr, "Invalid Protocol Descriptor List. " \
+					"Too long, len=%d\n", len);
+			return;
+		}
+
 		print_protocol_descriptor(start, start + len);
 		start += len;
 	}
@@ -416,6 +437,12 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
+				"Too long, len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -439,6 +466,13 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end
 			/* NOT REACHED */
 		}
 
+		if (len > (end - start)) {
+			fprintf(stderr, "Invalid Bluetooth Profile " \
+					"Descriptor List. " \
+					"Too long, len=%d\n", len);
+			return;
+		}
+
 		/* Get UUID */
 		SDP_GET8(type, start);
 		switch (type) {