diff options
author | Claudio Takahasi <claudio.takahasi@openbossa.org> | 2007-08-30 14:14:53 +0000 |
---|---|---|
committer | Claudio Takahasi <claudio.takahasi@openbossa.org> | 2007-08-30 14:14:53 +0000 |
commit | d039784990775ec85aa51f080b2db9feb0604a35 (patch) | |
tree | 4f44dc50df9a08ecd778d499fb373220ae4ecb6c /network | |
parent | 56e8f3fc3c15ceb035cda16d9dada129674cfeff (diff) |
network: more robust bnep setup conn msg validation
Diffstat (limited to 'network')
-rw-r--r-- | network/server.c | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/network/server.c b/network/server.c index 5a441ee6..672fd555 100644 --- a/network/server.c +++ b/network/server.c @@ -423,10 +423,10 @@ static gboolean connect_setup_event(GIOChannel *chan, struct bnep_setup_conn_req *req; unsigned char pkt[BNEP_MTU]; char path[MAX_PATH_LENGTH]; - gsize n; - GIOError gerr; - uint8_t *pservice; uint16_t dst_role, src_role, response; + uint8_t *pservice; + GIOError gerr; + gsize n; if (cond & G_IO_NVAL) return FALSE; @@ -437,30 +437,28 @@ static gboolean connect_setup_event(GIOChannel *chan, return FALSE; } + memset(pkt, 0, sizeof(pkt)); + n = 0; gerr = g_io_channel_read(chan, (gchar *)pkt, sizeof(pkt) - 1, &n); if (gerr != G_IO_ERROR_NONE) return FALSE; - if (n < sizeof(*req)) { - error("Invalid BNEP packet size"); - return FALSE; - } - - req = (void *)pkt; - if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) { - error("Invalid BNEP control packet content"); - return FALSE; - } - + req = (struct bnep_setup_conn_req *) pkt; /* * FIXME: According to BNEP SPEC the UUID size can be * 2-16 bytes. Currently only 2 bytes size is supported */ - if (req->uuid_size != 2) { + if (req->uuid_size != 2 || n != (sizeof(*req) + req->uuid_size * 2)) { + error("Invalid BNEP packet size"); response = BNEP_CONN_INVALID_SVC; goto reply; } + if (req->type != BNEP_CONTROL || req->ctrl != BNEP_SETUP_CONN_REQ) { + error("Invalid BNEP control packet content"); + return FALSE; + } + pservice = req->service; /* Getting destination service: considering 2 bytes size */ dst_role = ntohs(bt_get_unaligned((uint16_t *) pservice)); |