diff options
| author | Lucas De Marchi <lucas.demarchi@profusion.mobi> | 2011-10-12 12:11:19 -0300 |
|---|---|---|
| committer | Johan Hedberg <johan.hedberg@intel.com> | 2011-10-13 13:09:25 +0300 |
| commit | 7cddeb379dcfb3e58f76d98822b4eb62a571e0d9 (patch) | |
| tree | 0b913c761a14a717859abe1ad49665aa7e928e11 /audio | |
| parent | 28b3057757862d7ed193341c2640be54deaf3ed0 (diff) | |
| download | bluez-7cddeb379dcfb3e58f76d98822b4eb62a571e0d9.tar.gz | |
AVRCP: Check if len matches number of IDs
If number of attributes remote side provided is larger than the length
we read, we would read garbage from stack memory.
Diffstat (limited to 'audio')
| -rw-r--r-- | audio/avrcp.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/audio/avrcp.c b/audio/avrcp.c index 0ca91a554..8b4665018 100644 --- a/audio/avrcp.c +++ b/audio/avrcp.c @@ -597,12 +597,16 @@ static uint8_t avrcp_handle_get_element_attributes(struct avrcp_player *player, int size; unsigned int i; - if (len < 8 || *identifier != 0) + if (len < 9 || *identifier != 0) + goto err; + + nattr = pdu->params[8]; + + if (len < nattr * sizeof(uint32_t) + 1) goto err; len = 0; pos = 1; /* Keep track of current position in reponse */ - nattr = pdu->params[8]; if (!nattr) { /* |