emulator/bthost: Check length of received RFCOMM UA frames

author Marcin Kraglak <marcin.kraglak@tieto.com>

Tue, 11 Feb 2014 10:51:01 +0000 (11:51 +0100)

committer Johan Hedberg <johan.hedberg@intel.com>

Mon, 17 Feb 2014 12:31:20 +0000 (14:31 +0200)
author Marcin Kraglak <marcin.kraglak@tieto.com>
Tue, 11 Feb 2014 10:51:01 +0000 (11:51 +0100)
committer Johan Hedberg <johan.hedberg@intel.com>
Mon, 17 Feb 2014 12:31:20 +0000 (14:31 +0200)
diff --git a/emulator/bthost.c b/emulator/bthost.c

index 33a0544..ab90f4c 100644 (file)
--- a/emulator/bthost.c
+++ b/emulator/bthost.c
@@ -1619,14 +1619,20 @@ static void rfcomm_ua_recv(struct bthost *bthost, struct btconn *conn,
                                 uint16_t len)
  {
         const struct rfcomm_cmd *ua_hdr = data;
-       uint8_t channel = RFCOMM_GET_CHANNEL(ua_hdr->address);
+       uint8_t channel;
         struct rfcomm_connection_data *conn_data = bthost->rfcomm_conn_data;
-       uint8_t type = RFCOMM_GET_TYPE(ua_hdr->control);
+       uint8_t type;
         uint8_t buf[14];
         struct rfcomm_hdr *hdr;
         struct rfcomm_mcc *mcc;
         struct rfcomm_pn *pn_cmd;
  
+       if (len < sizeof(*ua_hdr))
+               return;
+
+       channel = RFCOMM_GET_CHANNEL(ua_hdr->address);
+       type = RFCOMM_GET_TYPE(ua_hdr->control);
+
         if (channel && conn_data && conn_data->channel == channel) {
                 if (conn_data->cb)
                         conn_data->cb(conn->handle, l2conn->scid,
author	Marcin Kraglak <marcin.kraglak@tieto.com>
	Tue, 11 Feb 2014 10:51:01 +0000 (11:51 +0100)
committer	Johan Hedberg <johan.hedberg@intel.com>
	Mon, 17 Feb 2014 12:31:20 +0000 (14:31 +0200)