summaryrefslogtreecommitdiff
path: root/network
diff options
context:
space:
mode:
authorClaudio Takahasi <claudio.takahasi@openbossa.org>2007-08-30 14:14:53 +0000
committerClaudio Takahasi <claudio.takahasi@openbossa.org>2007-08-30 14:14:53 +0000
commitd039784990775ec85aa51f080b2db9feb0604a35 (patch)
tree4f44dc50df9a08ecd778d499fb373220ae4ecb6c /network
parent56e8f3fc3c15ceb035cda16d9dada129674cfeff (diff)
network: more robust bnep setup conn msg validation
Diffstat (limited to 'network')
-rw-r--r--network/server.c28
1 files changed, 13 insertions, 15 deletions
diff --git a/network/server.c b/network/server.c
index 5a441ee6..672fd555 100644
--- a/network/server.c
+++ b/network/server.c
@@ -423,10 +423,10 @@ static gboolean connect_setup_event(GIOChannel *chan,
struct bnep_setup_conn_req *req;
unsigned char pkt[BNEP_MTU];
char path[MAX_PATH_LENGTH];
- gsize n;
- GIOError gerr;
- uint8_t *pservice;
uint16_t dst_role, src_role, response;
+ uint8_t *pservice;
+ GIOError gerr;
+ gsize n;
if (cond & G_IO_NVAL)
return FALSE;
@@ -437,30 +437,28 @@ static gboolean connect_setup_event(GIOChannel *chan,
return FALSE;
}
+ memset(pkt, 0, sizeof(pkt));
+ n = 0;
gerr = g_io_channel_read(chan, (gchar *)pkt, sizeof(pkt) - 1, &n);
if (gerr != G_IO_ERROR_NONE)
return FALSE;
- if (n < sizeof(*req)) {
- error("Invalid BNEP packet size");
- return FALSE;
- }
-
- req = (void *)pkt;
- if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) {
- error("Invalid BNEP control packet content");
- return FALSE;
- }
-
+ req = (struct bnep_setup_conn_req *) pkt;
/*
* FIXME: According to BNEP SPEC the UUID size can be
* 2-16 bytes. Currently only 2 bytes size is supported
*/
- if (req->uuid_size != 2) {
+ if (req->uuid_size != 2 || n != (sizeof(*req) + req->uuid_size * 2)) {
+ error("Invalid BNEP packet size");
response = BNEP_CONN_INVALID_SVC;
goto reply;
}
+ if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) {
+ error("Invalid BNEP control packet content");
+ return FALSE;
+ }
+
pservice = req->service;
/* Getting destination service: considering 2 bytes size */
dst_role = ntohs(bt_get_unaligned((uint16_t *) pservice));