git.osdn.net Git - android-x86/external-bluetooth-bluez.git/commit

(root) / android-x86 / external-bluetooth-bluez.git / commit

author	Johan Hedberg <johan.hedberg@intel.com>
	Fri, 14 Oct 2011 08:15:14 +0000 (11:15 +0300)
committer	Johan Hedberg <johan.hedberg@intel.com>
	Fri, 14 Oct 2011 08:15:14 +0000 (11:15 +0300)
commit	9122bd7ec7df653cbf7443282636693470b73f89
tree	00e727da8a9496bf1d524acb4e22d4537f57bb77	tree \| snapshot
parent	402398c7dc8c759d0ba0a110f38ce91cbb6fa4aa	commit \| diff

Fix leaks and buffer overflows in EIR parsing

By calling g_utf8_validate and allocating eir->name inside the parsing
loop the code was exposing itself to buffer overflows and memory leaks.
This is because the check for incorrect length fields is only done after
exiting the loop (if (len > HCI_MAX_EIR_LENGTH)). By only setting a
pointer to the name and doing the processing after checking the length
validity both issues can be avoided.

src/eir.c

diff | blob | history

external/bluetooth/bluez

RSS Atom

About OSDN

Find Software

Develop Software

Help