Module Name: src
Committed By: plunky
Date: Tue Apr 5 18:19:04 UTC 2011
Modified Files:
src/lib/libbluetooth: sdp_put.c sdp_set.c
Log Message:
Don't add the passed in 'len' value while testing if the data
space is large enough, to handle the edge case where len is
large (up to SSIZE_MAX may be valid on some machines) causing
pointers to wrap around and the fail condition to be missed.
To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/lib/libbluetooth/sdp_put.c
cvs rdiff -u -r1.2 -r1.3 src/lib/libbluetooth/sdp_set.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libbluetooth/sdp_put.c
diff -u src/lib/libbluetooth/sdp_put.c:1.4 src/lib/libbluetooth/sdp_put.c:1.5
--- src/lib/libbluetooth/sdp_put.c:1.4 Mon Apr 4 19:51:33 2011
+++ src/lib/libbluetooth/sdp_put.c Tue Apr 5 18:19:04 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sdp_put.c,v 1.4 2011/04/04 19:51:33 plunky Exp $ */
+/* $NetBSD: sdp_put.c,v 1.5 2011/04/05 18:19:04 plunky Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: sdp_put.c,v 1.4 2011/04/04 19:51:33 plunky Exp $");
+__RCSID("$NetBSD: sdp_put.c,v 1.5 2011/04/05 18:19:04 plunky Exp $");
#include <bluetooth.h>
#include <limits.h>
@@ -51,7 +51,7 @@
len = value->end - value->next;
- if (data->next + len > data->end)
+ if (len > data->end - data->next)
return false;
memcpy(data->next, value->next, (size_t)len);
@@ -304,21 +304,21 @@
return false;
if ((size_t)len > UINT16_MAX) {
- if (p + 5 + len > data->end)
+ if (len > data->end - 5 - p)
return false;
p[0] = type | SDP_DATA_EXT32;
be32enc(p + 1, (uint32_t)len);
p += 5;
} else if ((size_t)len > UINT8_MAX) {
- if (p + 3 + len > data->end)
+ if (len > data->end - 3 - p)
return false;
p[0] = type | SDP_DATA_EXT16;
be16enc(p + 1, (uint16_t)len);
p += 3;
} else {
- if (p + 2 + len > data->end)
+ if (len > data->end - 2 - p)
return false;
p[0] = type | SDP_DATA_EXT8;
Index: src/lib/libbluetooth/sdp_set.c
diff -u src/lib/libbluetooth/sdp_set.c:1.2 src/lib/libbluetooth/sdp_set.c:1.3
--- src/lib/libbluetooth/sdp_set.c:1.2 Thu May 14 19:12:45 2009
+++ src/lib/libbluetooth/sdp_set.c Tue Apr 5 18:19:04 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: sdp_set.c,v 1.2 2009/05/14 19:12:45 plunky Exp $ */
+/* $NetBSD: sdp_set.c,v 1.3 2011/04/05 18:19:04 plunky Exp $ */
/*-
* Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: sdp_set.c,v 1.2 2009/05/14 19:12:45 plunky Exp $");
+__RCSID("$NetBSD: sdp_set.c,v 1.3 2011/04/05 18:19:04 plunky Exp $");
#include <bluetooth.h>
#include <limits.h>
@@ -187,7 +187,7 @@
return false;
len = data->end - p - 1;
- } else if (p + 1 + len > data->end)
+ } else if (len > data->end - 1 - p)
return false;
if (len > UINT8_MAX)
@@ -202,7 +202,7 @@
return false;
len = data->end - p - 2;
- } else if (p + 2 + len > data->end)
+ } else if (len > data->end - 2 - p)
return false;
if (len > UINT16_MAX)
@@ -217,7 +217,7 @@
return false;
len = data->end - p - 4;
- } else if (p + 4 + len > data->end)
+ } else if (len > data->end - 4 - p)
return false;
if ((size_t)len > UINT32_MAX)
