summaryrefslogtreecommitdiff
path: root/lib/sdp.c
diff options
context:
space:
mode:
authorAnderson Lizardo <anderson.lizardo@openbossa.org>2013-02-15 11:07:51 -0400
committerJohan Hedberg <johan.hedberg@intel.com>2013-02-18 10:00:52 +0200
commit1e75de470e439aaebce3f5c6370f64545026d7ac (patch)
tree2e86d4203b07b9262ed78662f112609009a46c95 /lib/sdp.c
parent67c7f0bf9b0c5d7023c60fdd4b0b287c212922e4 (diff)
downloadbluez-1e75de470e439aaebce3f5c6370f64545026d7ac.tar.gz
lib: Validate DTDs when parsing LanguageBaseAttributeIDList
Also check if the required number of entries is present.
Diffstat (limited to 'lib/sdp.c')
-rw-r--r--lib/sdp.c32
1 files changed, 25 insertions, 7 deletions
diff --git a/lib/sdp.c b/lib/sdp.c
index 782d9bd32..77dafaa35 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -2019,19 +2019,30 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
errno = ENODATA;
return -1;
}
+
+ if (!SDP_IS_SEQ(sdpdata->dtd))
+ goto invalid;
curr_data = sdpdata->val.dataseq;
+
while (curr_data) {
- sdp_data_t *pCode = curr_data;
- sdp_data_t *pEncoding;
- sdp_data_t *pOffset;
+ sdp_data_t *pCode, *pEncoding, *pOffset;
+
+ pCode = curr_data;
+ if (pCode->dtd != SDP_UINT16)
+ goto invalid;
+
+ /* LanguageBaseAttributeIDList entries are always grouped as
+ * triplets */
+ if (!pCode->next || !pCode->next->next)
+ goto invalid;
pEncoding = pCode->next;
- if (!pEncoding)
- break;
+ if (pEncoding->dtd != SDP_UINT16)
+ goto invalid;
pOffset = pEncoding->next;
- if (!pOffset)
- break;
+ if (pOffset->dtd != SDP_UINT16)
+ goto invalid;
lang = malloc(sizeof(sdp_lang_attr_t));
if (!lang) {
@@ -2051,6 +2062,13 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
}
return 0;
+
+invalid:
+ sdp_list_free(*langSeq, free);
+ *langSeq = NULL;
+ errno = EINVAL;
+
+ return -1;
}
int sdp_get_profile_descs(const sdp_record_t *rec, sdp_list_t **profDescSeq)
View Lorry Controller Status