[Bluez-devel] FW: Patches: Qualification

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Bluez-devel] FW: Patches: Qualification - SDP
@ 2003-09-09 16:52 Daryl Van Vorst
  0 siblings, 0 replies; only message in thread
From: Daryl Van Vorst @ 2003-09-09 16:52 UTC (permalink / raw)
  To: BlueZ Mailing List

[-- Attachment #1: Type: text/plain, Size: 1181 bytes --]

This didn't make it through the first time... Trying again.

-Daryl.

-----Original Message-----
From: Daryl Van Vorst [mailto:daryl@wideray.com] 
Sent: September 8, 2003 11:29 AM
To: 'Stephen Crane'
Cc: 'BlueZ Mailing List'
Subject: Patches: Qualification - SDP


Steve, All,

Attached are two versions of a patch to SDP which make it pass the mandatory
qualification tests. One patch is against version 1.4 which is available for
download. The other patch is against what _I THINK_ is in CVS (if
sourceforge's CVS was better I'd be able to give a more definitive
statement).

The changes that I've made perform some simple checks on the PDU structure
for the three different SDP queries (SS, SA, SSA), and return the
appropriate error code (Invalid Request Syntax) to the initiator. Previously
the code would return "Invalid Continuation Sate" as the error code for
certain malformed queries.

The only difference between the two patches is a change that Steve made
which fixed a bug in handling the MaximumServiceRecordCount parameter in an
SS request. One patch includes it (the patch against version 1.4) and the
other patch does not.

-Daryl.

[-- Attachment #2: patch-sdp-1.4.txt --]
[-- Type: text/plain, Size: 2682 bytes --]

--- bluez-sdp-1.4/sdpd/request.c	Wed Feb 12 05:18:07 2003
+++ bluez-sdp-1.4-mods/sdpd/request.c	Thu Sep  4 14:28:12 2003
@@ -228,7 +228,7 @@
  */
 static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 {
-	int status = 0, i;
+	int status = 0, i, plen;
 	sdp_list_t *pattern = NULL;
 	int expected, actual;
 	uint8_t dtd;
@@ -249,6 +249,14 @@
 		goto done;
 	}
 	pdata += scanned;
+
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (scanned + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (scanned + sizeof(uint16_t) + 1 + *((uint8_t *)(pdata+sizeof(uint16_t)))))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
+
 	expected = ntohs(sdp_get_unaligned((uint16_t *)pdata));
 	
 	SDPDBG("Expected count: %d\n", expected);
@@ -285,7 +293,7 @@
 		sdp_list_t *list = sdp_get_record_list();
 
 		handleSize = 0;
-		for (; list; list = list->next) {
+		for (; list && rsp_count < expected; list = list->next) {
 			sdp_record_t *rec = (sdp_record_t *)list->data;
 
 			SDPDBG("Checking svcRec : 0x%x\n", rec->handle);
@@ -480,7 +488,7 @@
 	uint8_t dtd = 0;
 	int scanned = 0;
 	int max_rsp_size;
-	int status = 0;
+	int status = 0, plen;
 	char *pdata = req->buf + sizeof(sdp_pdu_hdr_t);
 	uint32_t handle = ntohl(sdp_get_unaligned((uint32_t *)pdata));
 
@@ -498,6 +506,13 @@
 	}
 	pdata += scanned;
 
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (scanned + sizeof(uint32_t) + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (scanned + sizeof(uint32_t) + sizeof(uint16_t) + 1 + *((uint8_t *)pdata)))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
+
 	/*
 	 * if continuation state exists, attempt
 	 * to get rsp remainder from cache, else send error
@@ -584,7 +599,7 @@
  */
 static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 {
-	int status = 0;
+	int status = 0, plen, totscanned;
 	char *pdata, *pResponse = NULL;
 	int scanned, max, rsp_count = 0;
 	sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
@@ -600,6 +615,7 @@
         	status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
+	totscanned = scanned;
 
 	SDPDBG("Bytes scanned: %d", scanned);
 
@@ -616,6 +632,14 @@
 		goto done;
 	}
 	pdata += scanned;
+	totscanned += scanned;
+
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (totscanned + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (totscanned + sizeof(uint16_t) + 1 + *((uint8_t *)pdata)))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
 
 	/*
 	 * if continuation state exists attempt

[-- Attachment #3: patch-sdp-cvs.txt --]
[-- Type: text/plain, Size: 2382 bytes --]

--- bluez-sdp-cvs/sdpd/request.c	Thu Sep  4 15:07:28 2003
+++ bluez-sdp-1.4-mods/sdpd/request.c	Thu Sep  4 14:28:12 2003
@@ -228,7 +228,7 @@
  */
 static int service_search_req(sdp_req_t *req, sdp_buf_t *buf)
 {
-	int status = 0, i;
+	int status = 0, i, plen;
 	sdp_list_t *pattern = NULL;
 	int expected, actual;
 	uint8_t dtd;
@@ -249,6 +249,14 @@
 		goto done;
 	}
 	pdata += scanned;
+
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (scanned + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (scanned + sizeof(uint16_t) + 1 + *((uint8_t *)(pdata+sizeof(uint16_t)))))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
+
 	expected = ntohs(sdp_get_unaligned((uint16_t *)pdata));
 	
 	SDPDBG("Expected count: %d\n", expected);
@@ -480,7 +488,7 @@
 	uint8_t dtd = 0;
 	int scanned = 0;
 	int max_rsp_size;
-	int status = 0;
+	int status = 0, plen;
 	char *pdata = req->buf + sizeof(sdp_pdu_hdr_t);
 	uint32_t handle = ntohl(sdp_get_unaligned((uint32_t *)pdata));
 
@@ -498,6 +506,13 @@
 	}
 	pdata += scanned;
 
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (scanned + sizeof(uint32_t) + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (scanned + sizeof(uint32_t) + sizeof(uint16_t) + 1 + *((uint8_t *)pdata)))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
+
 	/*
 	 * if continuation state exists, attempt
 	 * to get rsp remainder from cache, else send error
@@ -584,7 +599,7 @@
  */
 static int service_search_attr_req(sdp_req_t *req, sdp_buf_t *buf)
 {
-	int status = 0;
+	int status = 0, plen, totscanned;
 	char *pdata, *pResponse = NULL;
 	int scanned, max, rsp_count = 0;
 	sdp_list_t *pattern = NULL, *seq = NULL, *svcList;
@@ -600,6 +615,7 @@
         	status = SDP_INVALID_SYNTAX;
 		goto done;
 	}
+	totscanned = scanned;
 
 	SDPDBG("Bytes scanned: %d", scanned);
 
@@ -616,6 +632,14 @@
 		goto done;
 	}
 	pdata += scanned;
+	totscanned += scanned;
+
+	plen = ntohs(((sdp_pdu_hdr_t *)(req->buf))->plen);
+	if((plen < (totscanned + sizeof(uint16_t) + 1)) || // To ensure we don't read past buffer
+	   (plen != (totscanned + sizeof(uint16_t) + 1 + *((uint8_t *)pdata)))) {
+	  status = SDP_INVALID_SYNTAX;
+	  goto done;
+	}
 
 	/*
 	 * if continuation state exists attempt

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2003-09-09 16:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-09 16:52 [Bluez-devel] FW: Patches: Qualification - SDP Daryl Van Vorst

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.