Bluetooth: SDP: Validate SSA response PDU

Adds two extra checks against invalid length of attribute payload frame. Jira: ZEP-1112 Change-Id: I089442a5b9631471f9f394860681f1483e021c43 Signed-off-by: Arkadiusz Lichwa <[email protected]>
sunkaizhu · Jan 5, 2017 · 3304cbc · 3304cbc
1 parent 7c6063c
commit 3304cbc
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/subsys/bluetooth/host/sdp.c b/subsys/bluetooth/host/sdp.c
@@ -501,6 +501,12 @@ static void sdp_client_receive(struct bt_l2cap_chan *chan, struct net_buf *buf)
 	case BT_SDP_SVC_SEARCH_ATTR_RSP:
 		/* Get number of attributes in this frame. */
 		frame_len = net_buf_pull_be16(buf);
+		/* Check valid range of attributes length */
+		if (frame_len < 2) {
+			BT_ERR("Invalid attributes data length");
+			return;
+		}
+
 		/* Get PDU continuation state */
 		cstate = (struct bt_sdp_pdu_cstate *)(buf->data + frame_len);
 
@@ -510,6 +516,11 @@ static void sdp_client_receive(struct bt_l2cap_chan *chan, struct net_buf *buf)
 			return;
 		}
 
+		if ((frame_len + cstate->length) > len) {
+			BT_ERR("Invalid frame payload length");
+			return;
+		}
+
 		/* No record found for given UUID */
 		if (frame_len == 2 && cstate->length == 0 &&
 		    session->cstate.length == 0) {