Module Name: src
Committed By: maya
Date: Mon Aug 5 13:39:19 UTC 2019
Modified Files:
src/usr.sbin/bta2dpd/bta2dpd: avdtp.c
Log Message:
Avoid read overflows
To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 src/usr.sbin/bta2dpd/bta2dpd/avdtp.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.sbin/bta2dpd/bta2dpd/avdtp.c
diff -u src/usr.sbin/bta2dpd/bta2dpd/avdtp.c:1.2 src/usr.sbin/bta2dpd/bta2dpd/avdtp.c:1.3
--- src/usr.sbin/bta2dpd/bta2dpd/avdtp.c:1.2 Wed Jul 25 19:03:50 2018
+++ src/usr.sbin/bta2dpd/bta2dpd/avdtp.c Mon Aug 5 13:39:18 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: avdtp.c,v 1.2 2018/07/25 19:03:50 kamil Exp $ */
+/* $NetBSD: avdtp.c,v 1.3 2019/08/05 13:39:18 maya Exp $ */
/*-
* Copyright (c) 2015 - 2016 Nathanial Sloss <nathanialsl...@yahoo.com.au>
@@ -210,7 +210,7 @@ avdtpDiscover(uint8_t *buffer, size_t re
bool isSink;
if (recvsize >= 2) {
- for (offset = 0;offset < recvsize;offset += 2) {
+ for (offset = 0; offset < recvsize - 1; offset += 2) {
sepInfo->sep = buffer[offset] >> 2;
sepInfo->media_Type = buffer[offset+1] >> 4;
isSink = (buffer[offset+1] >> 3) & 1;
@@ -313,7 +313,7 @@ avdtpAutoConfigSBC(int fd, int recvfd, u
uint8_t supBitpoolMin, supBitpoolMax, tmp_mask;
size_t i;
- for (i = 0; i < cap_len; i++) {
+ for (i = 0; i < cap_len - 5; i++) {
if (capabilities[i] == mediaTransport &&
capabilities[i + 1] == 0 &&
capabilities[i + 2] == mediaCodec &&
@@ -321,7 +321,7 @@ avdtpAutoConfigSBC(int fd, int recvfd, u
capabilities[i + 5] == SBC_CODEC_ID)
break;
}
- if (i >= cap_len)
+ if (i >= cap_len - 9)
goto auto_config_failed;
availFreqMode = capabilities[i + 6];
