unsigned int cpy_len, rem_len;
UINT32 list_len;
UINT8 *p;
+ UINT8 *p_end;
UINT8 type;
#if (SDP_DEBUG_RAW == TRUE)
cpy_len = p_ccb->p_db->raw_size - p_ccb->p_db->raw_used;
list_len = p_ccb->list_len;
p = &p_ccb->rsp_list[0];
+ p_end = &p_ccb->rsp_list[0] + list_len;
if(offset)
{
cpy_len -= 1;
type = *p++;
uint8_t* old_p = p;
- p = sdpu_get_len_from_type (p, type, &list_len);
+ p = sdpu_get_len_from_type (p, p_end, type, &list_len);
+ if (p == NULL || (p + list_len) > p_end) {
+ SDP_TRACE_WARNING("%s: bad length", __func__);
+ return;
+ }
if ((int)cpy_len < (p - old_p)) {
SDP_TRACE_WARNING("%s: no bytes left for data", __func__);
return;
SDP_TRACE_WARNING ("SDP - Wrong type: 0x%02x in attr_rsp", type);
return;
}
- p = sdpu_get_len_from_type (p, type, &seq_len);
+ p = sdpu_get_len_from_type (p, p + p_ccb->list_len, type, &seq_len);
+ if (p == NULL || (p + seq_len) > (p + p_ccb->list_len)) {
+ SDP_TRACE_WARNING("%s: bad length", __func__);
+ return;
+ }
p_end = &p_ccb->rsp_list[p_ccb->list_len];
return (NULL);
}
- p = sdpu_get_len_from_type (p, type, &seq_len);
- if ((p + seq_len) > p_msg_end)
+ p = sdpu_get_len_from_type (p, p_msg_end, type, &seq_len);
+ if (p == NULL || (p + seq_len) > p_msg_end)
{
SDP_TRACE_WARNING ("SDP - Bad len in attr_rsp %d", seq_len);
return (NULL);
{
/* First get the attribute ID */
type = *p++;
- p = sdpu_get_len_from_type (p, type, &attr_len);
+ p = sdpu_get_len_from_type (p, p_msg_end, type, &attr_len);
+ if (p == NULL || (p + attr_len) > p_seq_end) {
+ SDP_TRACE_WARNING("%s: Bad len in attr_rsp %d", __func__, attr_len);
+ return (NULL);
+ }
if (((type >> 3) != UINT_DESC_TYPE) || (attr_len != 2))
{
SDP_TRACE_WARNING ("SDP - Bad type: 0x%02x or len: %d in attr_rsp", type, attr_len);
nest_level &= ~(SDP_ADDITIONAL_LIST_MASK);
type = *p++;
- p = sdpu_get_len_from_type (p, type, &attr_len);
+ p = sdpu_get_len_from_type (p, p_end, type, &attr_len);
+ if (p == NULL || (p + attr_len) > p_end) {
+ SDP_TRACE_WARNING("%s: bad length in attr_rsp", __func__);
+ return NULL;
+ }
attr_len &= SDP_DISC_ATTR_LEN_MASK;
attr_type = (type >> 3) & 0x0f;
** Returns void
**
*******************************************************************************/
-UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 type, UINT32 *p_len)
+UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 *p_end, UINT8 type, UINT32 *p_len)
{
UINT8 u8;
UINT16 u16;
*p_len = 16;
break;
case SIZE_IN_NEXT_BYTE:
+ if (p + 1 > p_end) {
+ *p_len = 0;
+ return NULL;
+ }
BE_STREAM_TO_UINT8 (u8, p);
*p_len = u8;
break;
case SIZE_IN_NEXT_WORD:
+ if (p + 2 > p_end) {
+ *p_len = 0;
+ return NULL;
+ }
BE_STREAM_TO_UINT16 (u16, p);
*p_len = u16;
break;
case SIZE_IN_NEXT_LONG:
+ if (p + 4 > p_end) {
+ *p_len = 0;
+ return NULL;
+ }
BE_STREAM_TO_UINT32 (u32, p);
*p_len = (UINT16) u32;
break;
extern UINT8 *sdpu_extract_attr_seq (UINT8 *p, UINT16 param_len, tSDP_ATTR_SEQ *p_seq);
extern UINT8 *sdpu_extract_uid_seq (UINT8 *p, UINT16 param_len, tSDP_UUID_SEQ *p_seq);
-extern UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 type, UINT32 *p_len);
+extern UINT8 *sdpu_get_len_from_type (UINT8 *p, UINT8 *p_end, UINT8 type, UINT32 *p_len);
extern BOOLEAN sdpu_is_base_uuid (UINT8 *p_uuid);
extern BOOLEAN sdpu_compare_uuid_arrays (UINT8 *p_uuid1, UINT32 len1, UINT8 *p_uuid2, UINT16 len2);
extern BOOLEAN sdpu_compare_bt_uuids (tBT_UUID *p_uuid1, tBT_UUID *p_uuid2);
OSDN Git Service
