diff options
author | emax <emax@FreeBSD.org> | 2007-02-23 19:37:47 +0000 |
---|---|---|
committer | emax <emax@FreeBSD.org> | 2007-02-23 19:37:47 +0000 |
commit | 33ad2957017b8f8863b4b5cc1ee316848480a741 (patch) | |
tree | 59d1af18ec21ae70e6a15189a4dad6a2d0d2559c /usr.sbin/bluetooth/sdpd | |
parent | 7e923baf390426183f8caf348d63dc1def5bc3d6 (diff) | |
download | FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.zip FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.tar.gz |
Check that the length of the received message is at least as big as a PDU
before we use pdu->len.
Submitted by: Iain Hibbert
MFC after: 3 days
Diffstat (limited to 'usr.sbin/bluetooth/sdpd')
-rw-r--r-- | usr.sbin/bluetooth/sdpd/server.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/bluetooth/sdpd/server.c b/usr.sbin/bluetooth/sdpd/server.c index bef7e3e..816c6f5 100644 --- a/usr.sbin/bluetooth/sdpd/server.c +++ b/usr.sbin/bluetooth/sdpd/server.c @@ -432,7 +432,8 @@ server_process_request(server_p srv, int32_t fd) return (-1); } - if (sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) { + if (len >= sizeof(*pdu) && + sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) { switch (pdu->pid) { case SDP_PDU_SERVICE_SEARCH_REQUEST: error = server_prepare_service_search_response(srv, fd); |