lib: Add range check for SDP_SVC_ATTR_RSP/SDP_SVC_SEARCH_ATTR_RSP

According to SDP spec, the byte count fields for these PDUs have a valid
range of 0x0002-0xFFFF.

diff --git a/lib/sdp.c b/lib/sdp.c
index 7ab7379..e1943dd 100644 (file)
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4169,6 +4169,14 @@ int sdp_process(sdp_session_t *session)
                rsp_count = bt_get_be16(pdata);
                SDPDBG("Attrlist byte count : %d\n", rsp_count);
 
+               /* Valid range for rsp_count is 0x0002-0xFFFF */
+               if (rsp_count < 0x0002) {
+                       t->err = EPROTO;
+                       SDPERR("Protocol error: invalid AttrList size");
+                       status = SDP_INVALID_PDU_SIZE;
+                       goto end;
+               }
+
                /*
                 * Number of bytes in the AttributeLists parameter(without
                 * continuation state) + AttributeListsByteCount field size.