| Message ID | 20210501003717.7553-2-luiz.dentz@gmail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Luiz Von Dentz |
| Headers | show |
| Series | [BlueZ,1/3] avdtp: Fix accepting invalid/malformed capabilities | expand |
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c index 05dd791de..c6a342ee3 100644 --- a/profiles/audio/avrcp.c +++ b/profiles/audio/avrcp.c @@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction, goto err_metadata; } + operands += sizeof(*pdu); + operand_count -= sizeof(*pdu); + + if (pdu->params_len != operand_count) { + DBG("AVRCP PDU parameters length don't match"); + pdu->params_len = operand_count; + } + for (handler = session->control_handlers; handler->pdu_id; handler++) { if (handler->pdu_id == pdu->pdu_id) break;
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> This makes sure the number of bytes in the params_len matches the remaining bytes received so the code don't end up accessing invalid memory. --- profiles/audio/avrcp.c | 8 ++++++++ 1 file changed, 8 insertions(+)