Hello community,
here is the log from the commit of package bluez-libs
checked in at Tue Jul 15 20:45:14 CEST 2008.
--------
--- bluez-libs/bluez-libs.changes 2008-05-21 11:50:37.000000000 +0200
+++ bluez-libs/bluez-libs.changes 2008-06-27 19:36:00.000000000 +0200
@@ -1,0 +2,11 @@
+Fri Jun 27 19:31:17 CEST 2008 - seife@suse.de
+
+- update to v3.34:
+ - Replace various SDP functions with safe versions.
+ - Add additional length validation for incoming SDP packets.
+- v3.33:
+ - Add functions for reading and writing the link policy settings.
+ - Add definition for authentication requirements.
+ - Enable PIE by default if supported.
+
+-------------------------------------------------------------------
Old:
----
bluez-libs-3.32.tar.bz2
New:
----
bluez-libs-3.34.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bluez-libs.spec ++++++
--- /var/tmp/diff_new_pack.D26804/_old 2008-07-15 20:43:52.000000000 +0200
+++ /var/tmp/diff_new_pack.D26804/_new 2008-07-15 20:43:52.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package bluez-libs (Version 3.32)
+# spec file for package bluez-libs (Version 3.34)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -13,7 +13,7 @@
Name: bluez-libs
Url: http://bluez.sourceforge.net
-Version: 3.32
+Version: 3.34
Release: 1
Summary: Bluetooth Libraries
License: GPL v2 or later
@@ -67,6 +67,14 @@
%doc AUTHORS COPYING INSTALL ChangeLog NEWS README
%changelog
+* Fri Jun 27 2008 seife@suse.de
+- update to v3.34:
+ - Replace various SDP functions with safe versions.
+ - Add additional length validation for incoming SDP packets.
+- v3.33:
+ - Add functions for reading and writing the link policy settings.
+ - Add definition for authentication requirements.
+ - Enable PIE by default if supported.
* Wed May 21 2008 seife@suse.de
- update to v3.32:
- Add OCF constants for synchronous flow control enabling.
++++++ bluez-libs-3.32.tar.bz2 -> bluez-libs-3.34.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/acinclude.m4 new/bluez-libs-3.34/acinclude.m4
--- old/bluez-libs-3.32/acinclude.m4 2008-05-05 22:54:17.000000000 +0200
+++ new/bluez-libs-3.34/acinclude.m4 2008-06-18 18:19:56.000000000 +0200
@@ -45,13 +45,18 @@
])
AC_DEFUN([AC_ARG_BLUEZ], [
- fortify_enable=yes
debug_enable=no
+ fortify_enable=yes
+ pie_enable=yes
AC_ARG_ENABLE(fortify, AC_HELP_STRING([--disable-fortify], [disable compile time buffer checks]), [
fortify_enable=${enableval}
])
+ AC_ARG_ENABLE(pie, AC_HELP_STRING([--disable-pie], [enable position independent executables flag]), [
+ pie_enable=${enableval}
+ ])
+
AC_ARG_ENABLE(debug, AC_HELP_STRING([--enable-debug], [enable compiling with debugging information]), [
debug_enable=${enableval}
])
@@ -60,6 +65,11 @@
CFLAGS="$CFLAGS -D_FORTIFY_SOURCE=2"
fi
+ if (test "${pie_enable}" = "yes" && test "${ac_cv_prog_cc_pie}" = "yes"); then
+ CFLAGS="$CFLAGS -fPIC"
+ LDFLAGS="$LDFLAGS -pie"
+ fi
+
if (test "${debug_enable}" = "yes" && test "${ac_cv_prog_cc_g}" = "yes"); then
CFLAGS="$CFLAGS -g -O0"
fi
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/ChangeLog new/bluez-libs-3.34/ChangeLog
--- old/bluez-libs-3.32/ChangeLog 2008-05-20 17:48:29.000000000 +0200
+++ new/bluez-libs-3.34/ChangeLog 2008-06-24 02:22:16.000000000 +0200
@@ -1,3 +1,12 @@
+ver 3.34:
+ Replace various SDP functions with safe versions.
+ Add additional length validation for incoming SDP packets.
+
+ver 3.33:
+ Add functions for reading and writing the link policy settings.
+ Add definition for authentication requirements.
+ Enable PIE by default if supported.
+
ver 3.32:
Add OCF constants for synchronous flow control enabling.
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/configure new/bluez-libs-3.34/configure
--- old/bluez-libs-3.32/configure 2008-05-20 17:50:39.000000000 +0200
+++ new/bluez-libs-3.34/configure 2008-06-24 02:22:56.000000000 +0200
@@ -1457,6 +1457,7 @@
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-fortify disable compile time buffer checks
+ --disable-pie enable position independent executables flag
--enable-debug enable compiling with debugging information
Optional Packages:
@@ -2236,7 +2237,7 @@
# Define the identity of the package.
PACKAGE=bluez-libs
- VERSION=3.32
+ VERSION=3.34
cat >>confdefs.h <<_ACEOF
@@ -3542,6 +3543,25 @@
fi
+
+ { echo "$as_me:$LINENO: checking whether ${CC-cc} accepts -fPIE" >&5
+echo $ECHO_N "checking whether ${CC-cc} accepts -fPIE... $ECHO_C" >&6; }
+if test "${ac_cv_prog_cc_pie+set}" = set; then
+ echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+
+ echo 'void f(){}' > conftest.c
+ if test -z "`${CC-cc} -fPIE -pie -c conftest.c 2>&1`"; then
+ ac_cv_prog_cc_pie=yes
+ else
+ ac_cv_prog_cc_pie=no
+ fi
+ rm -rf conftest*
+
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_prog_cc_pie" >&5
+echo "${ECHO_T}$ac_cv_prog_cc_pie" >&6; }
+
# Find a good install program. We prefer a C program (faster),
# so one script is as good as another. But avoid the broken or
# incompatible versions:
@@ -4434,7 +4454,7 @@
;;
*-*-irix6*)
# Find out which ABI we are using.
- echo '#line 4437 "configure"' > conftest.$ac_ext
+ echo '#line 4457 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5
ac_status=$?
@@ -6205,11 +6225,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6208: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6228: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6212: \$? = $ac_status" >&5
+ echo "$as_me:6232: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -6495,11 +6515,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6498: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6518: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err)
ac_status=$?
cat conftest.err >&5
- echo "$as_me:6502: \$? = $ac_status" >&5
+ echo "$as_me:6522: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output.
@@ -6599,11 +6619,11 @@
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'`
- (eval echo "\"\$as_me:6602: $lt_compile\"" >&5)
+ (eval echo "\"\$as_me:6622: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err)
ac_status=$?
cat out/conftest.err >&5
- echo "$as_me:6606: \$? = $ac_status" >&5
+ echo "$as_me:6626: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext
then
# The compiler can only warn and ignore the option if not recognized
@@ -8950,7 +8970,7 @@
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown
cat > conftest.$ac_ext < conftest.$ac_ext <
#include
#include
-#include
#include
#include
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/src/hci.c new/bluez-libs-3.34/src/hci.c
--- old/bluez-libs-3.32/src/hci.c 2008-02-02 00:14:55.000000000 +0100
+++ new/bluez-libs-3.34/src/hci.c 2008-06-18 18:19:57.000000000 +0200
@@ -32,7 +32,6 @@
#include
#include
#include
-#include
#include
#include
@@ -2232,6 +2231,60 @@
return 0;
}
+int hci_read_link_policy(int dd, uint16_t handle, uint16_t *policy, int to)
+{
+ read_link_policy_rp rp;
+ struct hci_request rq;
+
+ memset(&rq, 0, sizeof(rq));
+ rq.ogf = OGF_LINK_POLICY;
+ rq.ocf = OCF_READ_LINK_POLICY;
+ rq.cparam = &handle;
+ rq.clen = 2;
+ rq.rparam = &rp;
+ rq.rlen = READ_LINK_POLICY_RP_SIZE;
+
+ if (hci_send_req(dd, &rq, to) < 0)
+ return -1;
+
+ if (rp.status) {
+ errno = EIO;
+ return -1;
+ }
+
+ *policy = rp.policy;
+ return 0;
+}
+
+int hci_write_link_policy(int dd, uint16_t handle, uint16_t policy, int to)
+{
+ write_link_policy_cp cp;
+ write_link_policy_rp rp;
+ struct hci_request rq;
+
+ memset(&cp, 0, sizeof(cp));
+ cp.handle = handle;
+ cp.policy = policy;
+
+ memset(&rq, 0, sizeof(rq));
+ rq.ogf = OGF_LINK_POLICY;
+ rq.ocf = OCF_WRITE_LINK_POLICY;
+ rq.cparam = &cp;
+ rq.clen = WRITE_LINK_POLICY_CP_SIZE;
+ rq.rparam = &rp;
+ rq.rlen = WRITE_LINK_POLICY_RP_SIZE;
+
+ if (hci_send_req(dd, &rq, to) < 0)
+ return -1;
+
+ if (rp.status) {
+ errno = EIO;
+ return -1;
+ }
+
+ return 0;
+}
+
int hci_read_link_supervision_timeout(int dd, uint16_t handle, uint16_t *timeout, int to)
{
read_link_supervision_timeout_rp rp;
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/src/Makefile.am new/bluez-libs-3.34/src/Makefile.am
--- old/bluez-libs-3.32/src/Makefile.am 2008-03-21 23:05:49.000000000 +0100
+++ new/bluez-libs-3.34/src/Makefile.am 2008-06-24 02:22:16.000000000 +0200
@@ -2,7 +2,7 @@
lib_LTLIBRARIES = libbluetooth.la
libbluetooth_la_SOURCES = bluetooth.c hci.c sdp.c
-libbluetooth_la_LDFLAGS = -version-info 11:6:9
+libbluetooth_la_LDFLAGS = -version-info 13:0:11
INCLUDES = -I$(top_builddir)/include
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/src/Makefile.in new/bluez-libs-3.34/src/Makefile.in
--- old/bluez-libs-3.32/src/Makefile.in 2008-05-20 17:50:37.000000000 +0200
+++ new/bluez-libs-3.34/src/Makefile.in 2008-06-24 02:22:54.000000000 +0200
@@ -175,7 +175,7 @@
top_srcdir = @top_srcdir@
lib_LTLIBRARIES = libbluetooth.la
libbluetooth_la_SOURCES = bluetooth.c hci.c sdp.c
-libbluetooth_la_LDFLAGS = -version-info 11:6:9
+libbluetooth_la_LDFLAGS = -version-info 13:0:11
INCLUDES = -I$(top_builddir)/include
MAINTAINERCLEANFILES = Makefile.in
all: all-am
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/bluez-libs-3.32/src/sdp.c new/bluez-libs-3.34/src/sdp.c
--- old/bluez-libs-3.32/src/sdp.c 2008-03-21 23:05:49.000000000 +0100
+++ new/bluez-libs-3.34/src/sdp.c 2008-06-24 02:17:45.000000000 +0200
@@ -34,7 +34,7 @@
#include
#include
#include
-#include
+#include
#include
#include
#include
@@ -904,15 +904,76 @@
free(d);
}
-static sdp_data_t *extract_int(const void *p, int *len)
+int sdp_uuid_extract_safe(const uint8_t *p, int bufsize, uuid_t *uuid, int *scanned)
{
- sdp_data_t *d = malloc(sizeof(sdp_data_t));
+ uint8_t type;
+
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return -1;
+ }
+
+ type = *(const uint8_t *) p;
+
+ if (!SDP_IS_UUID(type)) {
+ SDPERR("Unknown data type : %d expecting a svc UUID\n", type);
+ return -1;
+ }
+ p += sizeof(uint8_t);
+ *scanned += sizeof(uint8_t);
+ bufsize -= sizeof(uint8_t);
+ if (type == SDP_UUID16) {
+ if (bufsize < sizeof(uint16_t)) {
+ SDPERR("Not enough room for 16-bit UUID");
+ return -1;
+ }
+ sdp_uuid16_create(uuid, ntohs(bt_get_unaligned((uint16_t *) p)));
+ *scanned += sizeof(uint16_t);
+ p += sizeof(uint16_t);
+ } else if (type == SDP_UUID32) {
+ if (bufsize < sizeof(uint32_t)) {
+ SDPERR("Not enough room for 32-bit UUID");
+ return -1;
+ }
+ sdp_uuid32_create(uuid, ntohl(bt_get_unaligned((uint32_t *) p)));
+ *scanned += sizeof(uint32_t);
+ p += sizeof(uint32_t);
+ } else {
+ if (bufsize < sizeof(uint128_t)) {
+ SDPERR("Not enough room for 128-bit UUID");
+ return -1;
+ }
+ sdp_uuid128_create(uuid, p);
+ *scanned += sizeof(uint128_t);
+ p += sizeof(uint128_t);
+ }
+ return 0;
+}
+
+int sdp_uuid_extract(const uint8_t *p, uuid_t *uuid, int *scanned)
+{
+ /* Assume p points to a buffer of size at least SDP_MAX_ATTR_LEN,
+ because we don't have any better information */
+ return sdp_uuid_extract_safe(p, SDP_MAX_ATTR_LEN, uuid, scanned);
+}
+
+static sdp_data_t *extract_int(const void *p, int bufsize, int *len)
+{
+ sdp_data_t *d;
+
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return NULL;
+ }
+
+ d = malloc(sizeof(sdp_data_t));
SDPDBG("Extracting integer\n");
memset(d, 0, sizeof(sdp_data_t));
d->dtd = *(uint8_t *) p;
p += sizeof(uint8_t);
*len += sizeof(uint8_t);
+ bufsize -= sizeof(uint8_t);
switch (d->dtd) {
case SDP_DATA_NIL:
@@ -920,26 +981,51 @@
case SDP_BOOL:
case SDP_INT8:
case SDP_UINT8:
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
*len += sizeof(uint8_t);
d->val.uint8 = *(uint8_t *) p;
break;
case SDP_INT16:
case SDP_UINT16:
+ if (bufsize < sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
*len += sizeof(uint16_t);
d->val.uint16 = ntohs(bt_get_unaligned((uint16_t *) p));
break;
case SDP_INT32:
case SDP_UINT32:
+ if (bufsize < sizeof(uint32_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
*len += sizeof(uint32_t);
d->val.uint32 = ntohl(bt_get_unaligned((uint32_t *) p));
break;
case SDP_INT64:
case SDP_UINT64:
+ if (bufsize < sizeof(uint64_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
*len += sizeof(uint64_t);
d->val.uint64 = ntoh64(bt_get_unaligned((uint64_t *) p));
break;
case SDP_INT128:
case SDP_UINT128:
+ if (bufsize < sizeof(uint128_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
*len += sizeof(uint128_t);
ntoh128((uint128_t *) p, &d->val.uint128);
break;
@@ -950,13 +1036,13 @@
return d;
}
-static sdp_data_t *extract_uuid(const uint8_t *p, int *len, sdp_record_t *rec)
+static sdp_data_t *extract_uuid(const uint8_t *p, int bufsize, int *len, sdp_record_t *rec)
{
sdp_data_t *d = malloc(sizeof(sdp_data_t));
SDPDBG("Extracting UUID");
memset(d, 0, sizeof(sdp_data_t));
- if (sdp_uuid_extract(p, &d->val.uuid, len) < 0) {
+ if (sdp_uuid_extract_safe(p, bufsize, &d->val.uuid, len) < 0) {
free(d);
return NULL;
}
@@ -969,29 +1055,49 @@
/*
* Extract strings from the PDU (could be service description and similar info)
*/
-static sdp_data_t *extract_str(const void *p, int *len)
+static sdp_data_t *extract_str(const void *p, int bufsize, int *len)
{
char *s;
int n;
- sdp_data_t *d = malloc(sizeof(sdp_data_t));
+ sdp_data_t *d;
+
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return NULL;
+ }
+
+ d = malloc(sizeof(sdp_data_t));
memset(d, 0, sizeof(sdp_data_t));
d->dtd = *(uint8_t *) p;
p += sizeof(uint8_t);
*len += sizeof(uint8_t);
+ bufsize -= sizeof(uint8_t);
switch (d->dtd) {
case SDP_TEXT_STR8:
case SDP_URL_STR8:
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
n = *(uint8_t *) p;
p += sizeof(uint8_t);
- *len += sizeof(uint8_t) + n;
+ *len += sizeof(uint8_t);
+ bufsize -= sizeof(uint8_t);
break;
case SDP_TEXT_STR16:
case SDP_URL_STR16:
+ if (bufsize < sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ free(d);
+ return NULL;
+ }
n = ntohs(bt_get_unaligned((uint16_t *) p));
p += sizeof(uint16_t);
*len += sizeof(uint16_t) + n;
+ bufsize -= sizeof(uint16_t);
break;
default:
SDPERR("Sizeof text string > UINT16_MAX\n");
@@ -999,10 +1105,23 @@
return 0;
}
+ if (bufsize < n) {
+ SDPERR("String too long to fit in packet");
+ free(d);
+ return NULL;
+ }
+
s = malloc(n + 1);
+ if (!s) {
+ SDPERR("Not enough memory for incoming string");
+ free(d);
+ return NULL;
+ }
memset(s, 0, n + 1);
memcpy(s, p, n);
+ *len += n;
+
SDPDBG("Len : %d\n", n);
SDPDBG("Str : %s\n", s);
@@ -1011,7 +1130,67 @@
return d;
}
-static sdp_data_t *extract_seq(const void *p, int *len, sdp_record_t *rec)
+/*
+ * Extract the sequence type and its length, and return offset into buf
+ * or 0 on failure.
+ */
+int sdp_extract_seqtype_safe(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *size)
+{
+ uint8_t dtd;
+ int scanned = sizeof(uint8_t);
+
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return 0;
+ }
+
+ dtd = *(uint8_t *) buf;
+ buf += sizeof(uint8_t);
+ bufsize -= sizeof(uint8_t);
+ *dtdp = dtd;
+ switch (dtd) {
+ case SDP_SEQ8:
+ case SDP_ALT8:
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return 0;
+ }
+ *size = *(uint8_t *) buf;
+ scanned += sizeof(uint8_t);
+ break;
+ case SDP_SEQ16:
+ case SDP_ALT16:
+ if (bufsize < sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ return 0;
+ }
+ *size = ntohs(bt_get_unaligned((uint16_t *) buf));
+ scanned += sizeof(uint16_t);
+ break;
+ case SDP_SEQ32:
+ case SDP_ALT32:
+ if (bufsize < sizeof(uint32_t)) {
+ SDPERR("Unexpected end of packet");
+ return 0;
+ }
+ *size = ntohl(bt_get_unaligned((uint32_t *) buf));
+ scanned += sizeof(uint32_t);
+ break;
+ default:
+ SDPERR("Unknown sequence type, aborting\n");
+ return 0;
+ }
+ return scanned;
+}
+
+int sdp_extract_seqtype(const uint8_t *buf, uint8_t *dtdp, int *size)
+{
+ /* Assume buf points to a buffer of size at least SDP_MAX_ATTR_LEN,
+ because we don't have any better information */
+ return sdp_extract_seqtype_safe(buf, SDP_MAX_ATTR_LEN, dtdp, size);
+}
+
+static sdp_data_t *extract_seq(const void *p, int bufsize, int *len, sdp_record_t *rec)
{
int seqlen, n = 0;
sdp_data_t *curr, *prev;
@@ -1019,17 +1198,24 @@
SDPDBG("Extracting SEQ");
memset(d, 0, sizeof(sdp_data_t));
- *len = sdp_extract_seqtype(p, &d->dtd, &seqlen);
+ *len = sdp_extract_seqtype_safe(p, bufsize, &d->dtd, &seqlen);
SDPDBG("Sequence Type : 0x%x length : 0x%x\n", d->dtd, seqlen);
if (*len == 0)
return d;
+ if (*len > bufsize) {
+ SDPERR("Packet not big enough to hold sequence.");
+ free(d);
+ return NULL;
+ }
+
p += *len;
+ bufsize -= *len;
curr = prev = NULL;
while (n < seqlen) {
int attrlen = 0;
- curr = sdp_extract_attr(p, &attrlen, rec);
+ curr = sdp_extract_attr_safe(p, bufsize, &attrlen, rec);
if (curr == NULL)
break;
@@ -1040,6 +1226,7 @@
prev = curr;
p += attrlen;
n += attrlen;
+ bufsize -= attrlen;
SDPDBG("Extracted: %d SequenceLength: %d", n, seqlen);
}
@@ -1048,11 +1235,18 @@
return d;
}
-sdp_data_t *sdp_extract_attr(const uint8_t *p, int *size, sdp_record_t *rec)
+sdp_data_t *sdp_extract_attr_safe(const uint8_t *p, int bufsize, int *size, sdp_record_t *rec)
{
sdp_data_t *elem;
int n = 0;
- uint8_t dtd = *(const uint8_t *)p;
+ uint8_t dtd;
+
+ if (bufsize < sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet");
+ return NULL;
+ }
+
+ dtd = *(const uint8_t *)p;
SDPDBG("extract_attr: dtd=0x%x", dtd);
switch (dtd) {
@@ -1068,12 +1262,12 @@
case SDP_INT32:
case SDP_INT64:
case SDP_INT128:
- elem = extract_int(p, &n);
+ elem = extract_int(p, bufsize, &n);
break;
case SDP_UUID16:
case SDP_UUID32:
case SDP_UUID128:
- elem = extract_uuid(p, &n, rec);
+ elem = extract_uuid(p, bufsize, &n, rec);
break;
case SDP_TEXT_STR8:
case SDP_TEXT_STR16:
@@ -1081,7 +1275,7 @@
case SDP_URL_STR8:
case SDP_URL_STR16:
case SDP_URL_STR32:
- elem = extract_str(p, &n);
+ elem = extract_str(p, bufsize, &n);
break;
case SDP_SEQ8:
case SDP_SEQ16:
@@ -1089,7 +1283,7 @@
case SDP_ALT8:
case SDP_ALT16:
case SDP_ALT32:
- elem = extract_seq(p, &n, rec);
+ elem = extract_seq(p, bufsize, &n, rec);
break;
default:
SDPERR("Unknown data descriptor : 0x%x terminating\n", dtd);
@@ -1099,6 +1293,13 @@
return elem;
}
+sdp_data_t *sdp_extract_attr(const uint8_t *p, int *size, sdp_record_t *rec)
+{
+ /* Assume p points to a buffer of size at least SDP_MAX_ATTR_LEN,
+ because we don't have any better information */
+ return sdp_extract_attr_safe(p, SDP_MAX_ATTR_LEN, size, rec);
+}
+
#ifdef SDP_DEBUG
static void attr_print_func(void *value, void *userData)
{
@@ -1122,7 +1323,7 @@
}
#endif
-sdp_record_t *sdp_extract_pdu(const uint8_t *buf, int *scanned)
+sdp_record_t *sdp_extract_pdu_safe(const uint8_t *buf, int bufsize, int *scanned)
{
int extracted = 0, seqlen = 0;
uint8_t dtd;
@@ -1130,21 +1331,30 @@
sdp_record_t *rec = sdp_record_alloc();
const uint8_t *p = buf;
- *scanned = sdp_extract_seqtype(buf, &dtd, &seqlen);
+ *scanned = sdp_extract_seqtype_safe(buf, bufsize, &dtd, &seqlen);
p += *scanned;
+ bufsize -= *scanned;
rec->attrlist = NULL;
- while (extracted < seqlen) {
+
+ while (extracted < seqlen && bufsize > 0) {
int n = sizeof(uint8_t), attrlen = 0;
sdp_data_t *data = NULL;
- SDPDBG("Extract PDU, sequenceLength: %d localExtractedLength: %d", seqlen, extracted);
+ SDPDBG("Extract PDU, sequenceLength: %d localExtractedLength: %d",
+ seqlen, extracted);
+
+ if (bufsize < n + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ break;
+ }
+
dtd = *(uint8_t *) p;
attr = ntohs(bt_get_unaligned((uint16_t *) (p + n)));
n += sizeof(uint16_t);
SDPDBG("DTD of attrId : %d Attr id : 0x%x \n", dtd, attr);
- data = sdp_extract_attr(p + n, &attrlen, rec);
+ data = sdp_extract_attr_safe(p + n, bufsize - n, &attrlen, rec);
SDPDBG("Attr id : 0x%x attrValueLength : %d\n", attr, attrlen);
@@ -1162,9 +1372,11 @@
extracted += n;
p += n;
+ bufsize -= n;
sdp_attr_replace(rec, attr, data);
+
SDPDBG("Extract PDU, seqLength: %d localExtractedLength: %d",
- seqlen, extracted);
+ seqlen, extracted);
}
#ifdef SDP_DEBUG
SDPDBG("Successful extracting of Svc Rec attributes\n");
@@ -1174,6 +1386,13 @@
return rec;
}
+sdp_record_t *sdp_extract_pdu(const uint8_t *buf, int *scanned)
+{
+ /* Assume buf points to a buffer of size at least SDP_MAX_ATTR_LEN,
+ because we don't have any better information */
+ return sdp_extract_pdu_safe(buf, SDP_MAX_ATTR_LEN, scanned);
+}
+
#ifdef SDP_DEBUG
static void print_dataseq(sdp_data_t *p)
{
@@ -1262,40 +1481,6 @@
return NULL;
}
-/*
- * Extract the sequence type and its length, and return offset into buf
- * or 0 on failure.
- */
-int sdp_extract_seqtype(const uint8_t *buf, uint8_t *dtdp, int *size)
-{
- uint8_t dtd = *(uint8_t *) buf;
- int scanned = sizeof(uint8_t);
-
- buf += sizeof(uint8_t);
- *dtdp = dtd;
- switch (dtd) {
- case SDP_SEQ8:
- case SDP_ALT8:
- *size = *(uint8_t *) buf;
- scanned += sizeof(uint8_t);
- break;
- case SDP_SEQ16:
- case SDP_ALT16:
- *size = ntohs(bt_get_unaligned((uint16_t *) buf));
- scanned += sizeof(uint16_t);
- break;
- case SDP_SEQ32:
- case SDP_ALT32:
- *size = ntohl(bt_get_unaligned((uint32_t *) buf));
- scanned += sizeof(uint32_t);
- break;
- default:
- SDPERR("Unknown sequence type, aborting\n");
- return 0;
- }
- return scanned;
-}
-
int sdp_send_req(sdp_session_t *session, uint8_t *buf, uint32_t size)
{
uint32_t sent = 0;
@@ -2329,32 +2514,6 @@
return 0;
}
-int sdp_uuid_extract(const uint8_t *p, uuid_t *uuid, int *scanned)
-{
- uint8_t type = *(const uint8_t *) p;
-
- if (!SDP_IS_UUID(type)) {
- SDPERR("Unknown data type : %d expecting a svc UUID\n", type);
- return -1;
- }
- p += sizeof(uint8_t);
- *scanned += sizeof(uint8_t);
- if (type == SDP_UUID16) {
- sdp_uuid16_create(uuid, ntohs(bt_get_unaligned((uint16_t *) p)));
- *scanned += sizeof(uint16_t);
- p += sizeof(uint16_t);
- } else if (type == SDP_UUID32) {
- sdp_uuid32_create(uuid, ntohl(bt_get_unaligned((uint32_t *) p)));
- *scanned += sizeof(uint32_t);
- p += sizeof(uint32_t);
- } else {
- sdp_uuid128_create(uuid, p);
- *scanned += sizeof(uint128_t);
- p += sizeof(uint128_t);
- }
- return 0;
-}
-
/*
* This function appends data to the PDU buffer "dst" from source "src".
* The data length is also computed and set.
@@ -2484,6 +2643,13 @@
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
rsphdr = (sdp_pdu_hdr_t *) rsp;
p = rsp + sizeof(sdp_pdu_hdr_t);
@@ -2495,6 +2661,12 @@
errno = EPROTO;
status = -1;
} else {
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint32_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
if (handle)
*handle = ntohl(bt_get_unaligned((uint32_t *) p));
}
@@ -2590,6 +2762,13 @@
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
p = rspbuf + sizeof(sdp_pdu_hdr_t);
status = bt_get_unaligned((uint16_t *) p);
@@ -2689,6 +2868,13 @@
if (status < 0)
goto end;
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ errno = EPROTO;
+ status = -1;
+ goto end;
+ }
+
SDPDBG("Send req status : %d\n", status);
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
@@ -2764,18 +2950,23 @@
* handles are not in "data element sequence" form, but just like
* an array of service handles
*/
-static void extract_record_handle_seq(uint8_t *pdu, sdp_list_t **seq, int count, int *scanned)
+static void extract_record_handle_seq(uint8_t *pdu, int bufsize, sdp_list_t **seq, int count, int *scanned)
{
sdp_list_t *pSeq = *seq;
uint8_t *pdata = pdu;
int n;
for (n = 0; n < count; n++) {
+ if (bufsize < sizeof(uint32_t)) {
+ SDPERR("Unexpected end of packet");
+ break;
+ }
uint32_t *pSvcRec = malloc(sizeof(uint32_t));
*pSvcRec = ntohl(bt_get_unaligned((uint32_t *) pdata));
pSeq = sdp_list_append(pSeq, pSvcRec);
pdata += sizeof(uint32_t);
*scanned += sizeof(uint32_t);
+ bufsize -= sizeof(uint32_t);
}
*seq = pSeq;
}
@@ -2792,7 +2983,7 @@
// Fill up the value and the dtd arrays
SDPDBG("");
-
+
memset(&buf, 0, sizeof(sdp_buf_t));
buf.data = malloc(256);
buf.buf_size = 256;
@@ -2843,12 +3034,17 @@
unsigned char data[16];
} __attribute__ ((packed)) sdp_cstate_t;
-static int copy_cstate(uint8_t *pdata, const sdp_cstate_t *cstate)
+static int copy_cstate(uint8_t *pdata, int pdata_len, const sdp_cstate_t *cstate)
{
if (cstate) {
- *pdata++ = cstate->length;
- memcpy(pdata, cstate->data, cstate->length);
- return cstate->length + 1;
+ uint8_t len = cstate->length;
+ if (len >= pdata_len) {
+ SDPERR("Continuation state size exceeds internal buffer");
+ len = pdata_len - 1;
+ }
+ *pdata++ = len;
+ memcpy(pdata, cstate->data, len);
+ return len + 1;
}
*pdata = 0;
return 1;
@@ -2890,7 +3086,7 @@
uint32_t reqsize = 0, _reqsize;
uint32_t rspsize = 0, rsplen;
int seqlen = 0;
- int scanned, total_rec_count, rec_count;
+ int scanned, total_rec_count, rec_count, pdata_len;
uint8_t *pdata, *_pdata;
uint8_t *reqbuf, *rspbuf;
sdp_pdu_hdr_t *reqhdr, *rsphdr;
@@ -2928,7 +3124,8 @@
do {
// Add continuation state or NULL (first time)
- reqsize = _reqsize + copy_cstate(_pdata, cstate);
+ reqsize = _reqsize + copy_cstate(_pdata,
+ SDP_REQ_BUFFER_SIZE - _reqsize, cstate);
// Set the request header's param length
reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t));
@@ -2942,7 +3139,12 @@
if (status < 0)
goto end;
- rsplen = 0;
+ if (rspsize < sizeof(sdp_pdu_hdr_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
+
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
rsplen = ntohs(rsphdr->plen);
@@ -2953,14 +3155,23 @@
}
scanned = 0;
pdata = rspbuf + sizeof(sdp_pdu_hdr_t);
+ pdata_len = rspsize - sizeof(sdp_pdu_hdr_t);
+
+ if (pdata_len < sizeof(uint16_t) + sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
// net service record match count
total_rec_count = ntohs(bt_get_unaligned((uint16_t *) pdata));
pdata += sizeof(uint16_t);
scanned += sizeof(uint16_t);
+ pdata_len -= sizeof(uint16_t);
rec_count = ntohs(bt_get_unaligned((uint16_t *) pdata));
pdata += sizeof(uint16_t);
scanned += sizeof(uint16_t);
+ pdata_len -= sizeof(uint16_t);
SDPDBG("Total svc count: %d\n", total_rec_count);
SDPDBG("Current svc count: %d\n", rec_count);
@@ -2970,12 +3181,18 @@
status = -1;
goto end;
}
- extract_record_handle_seq(pdata, rsp, rec_count, &scanned);
+ extract_record_handle_seq(pdata, pdata_len, rsp, rec_count, &scanned);
SDPDBG("BytesScanned : %d\n", scanned);
if (rsplen > scanned) {
uint8_t cstate_len;
+ if (rspsize < sizeof(sdp_pdu_hdr_t) + scanned + sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet: continuation state data missing");
+ status = -1;
+ goto end;
+ }
+
pdata = rspbuf + sizeof(sdp_pdu_hdr_t) + scanned;
cstate_len = *(uint8_t *) pdata;
if (cstate_len > 0) {
@@ -2986,7 +3203,7 @@
}
} while (cstate);
- end:
+end:
if (reqbuf)
free(reqbuf);
if (rspbuf)
@@ -3034,7 +3251,7 @@
uint32_t reqsize = 0, _reqsize;
uint32_t rspsize = 0, rsp_count;
int attr_list_len = 0;
- int seqlen = 0;
+ int seqlen = 0, pdata_len;
uint8_t *pdata, *_pdata;
uint8_t *reqbuf, *rspbuf;
sdp_pdu_hdr_t *reqhdr, *rsphdr;
@@ -3090,7 +3307,8 @@
do {
// add NULL continuation state
- reqsize = _reqsize + copy_cstate(_pdata, cstate);
+ reqsize = _reqsize + copy_cstate(_pdata,
+ SDP_REQ_BUFFER_SIZE - _reqsize, cstate);
// set the request header's param length
reqhdr->tid = htons(sdp_gen_tid(session));
@@ -3099,6 +3317,13 @@
status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize);
if (status < 0)
goto end;
+
+ if (rspsize < sizeof(sdp_pdu_hdr_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
+
rsp_count = 0;
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
if (rsphdr->pdu_id == SDP_ERROR_RSP) {
@@ -3107,11 +3332,25 @@
goto end;
}
pdata = rspbuf + sizeof(sdp_pdu_hdr_t);
+ pdata_len = rspsize - sizeof(sdp_pdu_hdr_t);
+
+ if (pdata_len < sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
+
rsp_count = ntohs(bt_get_unaligned((uint16_t *) pdata));
attr_list_len += rsp_count;
pdata += sizeof(uint16_t);
+ pdata_len -= sizeof(uint16_t);
// if continuation state set need to re-issue request before parsing
+ if (pdata_len < rsp_count + sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet: continuation state data missing");
+ status = -1;
+ goto end;
+ }
cstate_len = *(uint8_t *) (pdata + rsp_count);
SDPDBG("Response id : %d\n", rsphdr->pdu_id);
@@ -3138,15 +3377,17 @@
if (attr_list_len > 0) {
int scanned = 0;
- if (rsp_concat_buf.data_size != 0)
+ if (rsp_concat_buf.data_size != 0) {
pdata = rsp_concat_buf.data;
- rec = sdp_extract_pdu(pdata, &scanned);
+ pdata_len = rsp_concat_buf.data_size;
+ }
+ rec = sdp_extract_pdu_safe(pdata, pdata_len, &scanned);
if (!rec)
status = -1;
}
- end:
+end:
if (reqbuf)
free(reqbuf);
if (rsp_concat_buf.data)
@@ -3311,7 +3552,7 @@
pdata += sizeof(uint16_t);
// set the request header's param length
- cstate_len = copy_cstate(pdata, NULL);
+ cstate_len = copy_cstate(pdata, SDP_REQ_BUFFER_SIZE - t->reqsize, NULL);
reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
@@ -3425,7 +3666,7 @@
SDPDBG("Attr list length : %d\n", seqlen);
// set the request header's param length
- cstate_len = copy_cstate(pdata, NULL);
+ cstate_len = copy_cstate(pdata, SDP_REQ_BUFFER_SIZE - t->reqsize, NULL);
reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
@@ -3544,7 +3785,7 @@
t->reqsize += seqlen;
// set the request header's param length
- cstate_len = copy_cstate(pdata, NULL);
+ cstate_len = copy_cstate(pdata, SDP_REQ_BUFFER_SIZE - t->reqsize, NULL);
reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t));
if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) {
@@ -3757,7 +3998,8 @@
reqhdr->tid = htons(sdp_gen_tid(session));
// add continuation state
- cstate_len = copy_cstate(t->reqbuf + t->reqsize, pcstate);
+ cstate_len = copy_cstate(t->reqbuf + t->reqsize,
+ SDP_REQ_BUFFER_SIZE - t->reqsize, pcstate);
reqsize = t->reqsize + cstate_len;
@@ -3836,7 +4078,7 @@
uint32_t reqsize = 0, _reqsize;
uint32_t rspsize = 0;
int seqlen = 0, attr_list_len = 0;
- int rsp_count = 0, cstate_len = 0;
+ int rsp_count = 0, cstate_len = 0, pdata_len;
uint8_t *pdata, *_pdata;
uint8_t *reqbuf, *rspbuf;
sdp_pdu_hdr_t *reqhdr, *rsphdr;
@@ -3900,12 +4142,19 @@
reqhdr->tid = htons(sdp_gen_tid(session));
// add continuation state (can be null)
- reqsize = _reqsize + copy_cstate(_pdata, cstate);
+ reqsize = _reqsize + copy_cstate(_pdata,
+ SDP_REQ_BUFFER_SIZE - _reqsize, cstate);
// set the request header's param length
reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t));
rsphdr = (sdp_pdu_hdr_t *) rspbuf;
status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize);
+ if (rspsize < sizeof(sdp_pdu_hdr_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
+
if (status < 0) {
SDPDBG("Status : 0x%x\n", rsphdr->pdu_id);
goto end;
@@ -3917,9 +4166,25 @@
}
pdata = rspbuf + sizeof(sdp_pdu_hdr_t);
+ pdata_len = rspsize - sizeof(sdp_pdu_hdr_t);
+
+ if (pdata_len < sizeof(uint16_t)) {
+ SDPERR("Unexpected end of packet");
+ status = -1;
+ goto end;
+ }
+
rsp_count = ntohs(bt_get_unaligned((uint16_t *) pdata));
attr_list_len += rsp_count;
pdata += sizeof(uint16_t); // pdata points to attribute list
+ pdata_len -= sizeof(uint16_t);
+
+ if (pdata_len < rsp_count + sizeof(uint8_t)) {
+ SDPERR("Unexpected end of packet: continuation state data missing");
+ status = -1;
+ goto end;
+ }
+
cstate_len = *(uint8_t *) (pdata + rsp_count);
SDPDBG("Attrlist byte count : %d\n", attr_list_len);
@@ -3946,24 +4211,27 @@
if (attr_list_len > 0) {
int scanned = 0;
- if (rsp_concat_buf.data_size != 0)
+ if (rsp_concat_buf.data_size != 0) {
pdata = rsp_concat_buf.data;
+ pdata_len = rsp_concat_buf.data_size;
+ }
/*
* Response is a sequence of sequence(s) for one or
* more data element sequence(s) representing services
* for which attributes are returned
*/
- scanned = sdp_extract_seqtype(pdata, &dataType, &seqlen);
+ scanned = sdp_extract_seqtype_safe(pdata, pdata_len, &dataType, &seqlen);
SDPDBG("Bytes scanned : %d\n", scanned);
SDPDBG("Seq length : %d\n", seqlen);
if (scanned && seqlen) {
pdata += scanned;
+ pdata_len -= scanned;
do {
int recsize = 0;
- sdp_record_t *rec = sdp_extract_pdu(pdata, &recsize);
+ sdp_record_t *rec = sdp_extract_pdu_safe(pdata, pdata_len, &recsize);
if (rec == NULL) {
SDPERR("SVC REC is null\n");
status = -1;
@@ -3975,13 +4243,14 @@
}
scanned += recsize;
pdata += recsize;
+ pdata_len -= recsize;
SDPDBG("Loc seq length : %d\n", recsize);
SDPDBG("Svc Rec Handle : 0x%x\n", rec->handle);
SDPDBG("Bytes scanned : %d\n", scanned);
SDPDBG("Attrlist byte count : %d\n", attr_list_len);
rec_list = sdp_list_append(rec_list, rec);
- } while (scanned < attr_list_len);
+ } while (scanned < attr_list_len && pdata_len > 0);
SDPDBG("Successful scan of service attr lists\n");
*rsp = rec_list;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org