Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 20 Oct 2015 18:01:08 +0000 (UTC)
From:      Maksim Yevmenkin <emax@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r289637 - head/usr.sbin/bluetooth/sdpcontrol
Message-ID:  <201510201801.t9KI18Ek016888@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: emax
Date: Tue Oct 20 18:01:08 2015
New Revision: 289637
URL: https://svnweb.freebsd.org/changeset/base/289637

Log:
  check boundaries while parsing SDP responses
  
  Reported by:	hps
  Reviewed by:	hps
  MFC after:	1 week

Modified:
  head/usr.sbin/bluetooth/sdpcontrol/search.c

Modified: head/usr.sbin/bluetooth/sdpcontrol/search.c
==============================================================================
--- head/usr.sbin/bluetooth/sdpcontrol/search.c	Tue Oct 20 17:58:21 2015	(r289636)
+++ head/usr.sbin/bluetooth/sdpcontrol/search.c	Tue Oct 20 18:01:08 2015	(r289637)
@@ -103,6 +103,12 @@ print_service_class_id_list(uint8_t cons
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Service Class ID List. " \
+				"Too long len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -259,28 +265,31 @@ print_protocol_descriptor(uint8_t const 
 		case SDP_DATA_STR8:
 		case SDP_DATA_URL8:
 			SDP_GET8(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_STR16:
 		case SDP_DATA_URL16:
 			SDP_GET16(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_STR32:
 		case SDP_DATA_URL32:
 			SDP_GET32(len, start);
-			fprintf(stdout, "%*.*s\n", len, len, (char *) start);
-			start += len;
+			for (; start < end && len > 0; start ++, len --)
+				fprintf(stdout, "%c", *start);
+			fprintf(stdout, "\n");
 			break;
 
 		case SDP_DATA_SEQ8:
 		case SDP_DATA_ALT8:
 			SDP_GET8(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -288,7 +297,7 @@ print_protocol_descriptor(uint8_t const 
 		case SDP_DATA_SEQ16:
 		case SDP_DATA_ALT16:
 			SDP_GET16(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -296,7 +305,7 @@ print_protocol_descriptor(uint8_t const 
 		case SDP_DATA_SEQ32:
 		case SDP_DATA_ALT32:
 			SDP_GET32(len, start);
-			for (; len > 0; start ++, len --)
+			for (; start < end && len > 0; start ++, len --)
 				fprintf(stdout, "%#2.2x ", *start);
 			fprintf(stdout, "\n");
 			break;
@@ -342,6 +351,12 @@ print_protocol_descriptor_list(uint8_t c
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Protocol Descriptor List. " \
+				"Too long, len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -364,6 +379,12 @@ print_protocol_descriptor_list(uint8_t c
 			/* NOT REACHED */
 		}
 
+		if (len > (end - start)) {
+			fprintf(stderr, "Invalid Protocol Descriptor List. " \
+					"Too long, len=%d\n", len);
+			return;
+		}
+
 		print_protocol_descriptor(start, start + len);
 		start += len;
 	}
@@ -416,6 +437,12 @@ print_bluetooth_profile_descriptor_list(
 		/* NOT REACHED */
 	}
 
+	if (len > (end - start)) {
+		fprintf(stderr, "Invalid Bluetooth Profile Descriptor List. " \
+				"Too long, len=%d\n", len);
+		return;
+	}
+
 	while (start < end) {
 		SDP_GET8(type, start);
 		switch (type) {
@@ -439,6 +466,13 @@ print_bluetooth_profile_descriptor_list(
 			/* NOT REACHED */
 		}
 
+		if (len > (end - start)) {
+			fprintf(stderr, "Invalid Bluetooth Profile " \
+					"Descriptor List. " \
+					"Too long, len=%d\n", len);
+			return;
+		}
+
 		/* Get UUID */
 		SDP_GET8(type, start);
 		switch (type) {



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510201801.t9KI18Ek016888>