diff options
| author | emax <emax@FreeBSD.org> | 2015-11-05 16:08:38 +0000 |
|---|---|---|
| committer | emax <emax@FreeBSD.org> | 2015-11-05 16:08:38 +0000 |
| commit | 94580a0106bba3ed20d207ae7b9766db3580474a (patch) | |
| tree | eee5794e794498414d26ed42da6a6a76e00629e9 /usr.sbin | |
| parent | 624444350402c7ad485f195fb510d5023d85f669 (diff) | |
| download | FreeBSD-src-94580a0106bba3ed20d207ae7b9766db3580474a.zip FreeBSD-src-94580a0106bba3ed20d207ae7b9766db3580474a.tar.gz | |
MFC r289637
check boundaries while parsing SDP responses
Reported by: hps
Reviewed by: hps
Diffstat (limited to 'usr.sbin')
| -rw-r--r-- | usr.sbin/bluetooth/sdpcontrol/search.c | 52 |
1 files changed, 43 insertions, 9 deletions
diff --git a/usr.sbin/bluetooth/sdpcontrol/search.c b/usr.sbin/bluetooth/sdpcontrol/search.c index e7d8244..09ef5a3 100644 --- a/usr.sbin/bluetooth/sdpcontrol/search.c +++ b/usr.sbin/bluetooth/sdpcontrol/search.c @@ -102,6 +102,12 @@ print_service_class_id_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Service Class ID List. " \ + "Too long len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -258,28 +264,31 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_STR8: case SDP_DATA_URL8: SDP_GET8(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_STR16: case SDP_DATA_URL16: SDP_GET16(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_STR32: case SDP_DATA_URL32: SDP_GET32(len, start); - fprintf(stdout, "%*.*s\n", len, len, (char *) start); - start += len; + for (; start < end && len > 0; start ++, len --) + fprintf(stdout, "%c", *start); + fprintf(stdout, "\n"); break; case SDP_DATA_SEQ8: case SDP_DATA_ALT8: SDP_GET8(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -287,7 +296,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_SEQ16: case SDP_DATA_ALT16: SDP_GET16(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -295,7 +304,7 @@ print_protocol_descriptor(uint8_t const *start, uint8_t const *end) case SDP_DATA_SEQ32: case SDP_DATA_ALT32: SDP_GET32(len, start); - for (; len > 0; start ++, len --) + for (; start < end && len > 0; start ++, len --) fprintf(stdout, "%#2.2x ", *start); fprintf(stdout, "\n"); break; @@ -341,6 +350,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Protocol Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -363,6 +378,12 @@ print_protocol_descriptor_list(uint8_t const *start, uint8_t const *end) /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Protocol Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + print_protocol_descriptor(start, start + len); start += len; } @@ -415,6 +436,12 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + while (start < end) { SDP_GET8(type, start); switch (type) { @@ -438,6 +465,13 @@ print_bluetooth_profile_descriptor_list(uint8_t const *start, uint8_t const *end /* NOT REACHED */ } + if (len > (end - start)) { + fprintf(stderr, "Invalid Bluetooth Profile " \ + "Descriptor List. " \ + "Too long, len=%d\n", len); + return; + } + /* Get UUID */ SDP_GET8(type, start); switch (type) { |
