Check that the length of the received message is at least as big as a PDU

before we use pdu->len. Submitted by: Iain Hibbert MFC after: 3 days
author: emax <emax@FreeBSD.org> 2007-02-23 19:37:47 +0000
committer: emax <emax@FreeBSD.org> 2007-02-23 19:37:47 +0000
commit: 33ad2957017b8f8863b4b5cc1ee316848480a741 (patch)
tree: 59d1af18ec21ae70e6a15189a4dad6a2d0d2559c /usr.sbin/bluetooth
parent: 7e923baf390426183f8caf348d63dc1def5bc3d6 (diff)
download: FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.zip
FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.sbin/bluetooth/sdpd/server.c b/usr.sbin/bluetooth/sdpd/server.c
index bef7e3e..816c6f5 100644
--- a/usr.sbin/bluetooth/sdpd/server.c
+++ b/usr.sbin/bluetooth/sdpd/server.c
@@ -432,7 +432,8 @@ server_process_request(server_p srv, int32_t fd)
 		return (-1);
 	}
 
-	if (sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
+	if (len >= sizeof(*pdu) &&
+	    sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) {
 		switch (pdu->pid) {
 		case SDP_PDU_SERVICE_SEARCH_REQUEST:
 			error = server_prepare_service_search_response(srv, fd);
author	emax <emax@FreeBSD.org>	2007-02-23 19:37:47 +0000
committer	emax <emax@FreeBSD.org>	2007-02-23 19:37:47 +0000
commit	33ad2957017b8f8863b4b5cc1ee316848480a741 (patch)
tree	59d1af18ec21ae70e6a15189a4dad6a2d0d2559c /usr.sbin/bluetooth
parent	7e923baf390426183f8caf348d63dc1def5bc3d6 (diff)
download	FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.zip FreeBSD-src-33ad2957017b8f8863b4b5cc1ee316848480a741.tar.gz