From 6bfc799ccfbfdb10b61b31fe27eaca956b91990d Mon Sep 17 00:00:00 2001 From: Maksim Yevmenkin Date: Fri, 23 Feb 2007 19:37:47 +0000 Subject: [PATCH] Check that the length of the received message is at least as big as a PDU before we use pdu->len. Submitted by: Iain Hibbert MFC after: 3 days --- usr.sbin/bluetooth/sdpd/server.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr.sbin/bluetooth/sdpd/server.c b/usr.sbin/bluetooth/sdpd/server.c index bef7e3ee8d1..816c6f5e6c2 100644 --- a/usr.sbin/bluetooth/sdpd/server.c +++ b/usr.sbin/bluetooth/sdpd/server.c @@ -432,7 +432,8 @@ server_process_request(server_p srv, int32_t fd) return (-1); } - if (sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) { + if (len >= sizeof(*pdu) && + sizeof(*pdu) + (pdu->len = ntohs(pdu->len)) == len) { switch (pdu->pid) { case SDP_PDU_SERVICE_SEARCH_REQUEST: error = server_prepare_service_search_response(srv, fd);