34 lines
1.0 KiB
Diff
34 lines
1.0 KiB
Diff
From e2b0f0d8d63e1223bb714a9efb37e2257818268b Mon Sep 17 00:00:00 2001
|
|
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
|
|
Date: Thu, 29 Apr 2021 18:18:57 -0700
|
|
Subject: avrcp: Fix not checking if params_len match number of received bytes
|
|
|
|
This makes sure the number of bytes in the params_len matches the
|
|
remaining bytes received so the code don't end up accessing invalid
|
|
memory.
|
|
---
|
|
profiles/audio/avrcp.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
|
|
index 05dd791de..c6a342ee3 100644
|
|
--- a/profiles/audio/avrcp.c
|
|
+++ b/profiles/audio/avrcp.c
|
|
@@ -1914,6 +1914,14 @@ static size_t handle_vendordep_pdu(struct avctp *conn, uint8_t transaction,
|
|
goto err_metadata;
|
|
}
|
|
|
|
+ operands += sizeof(*pdu);
|
|
+ operand_count -= sizeof(*pdu);
|
|
+
|
|
+ if (pdu->params_len != operand_count) {
|
|
+ DBG("AVRCP PDU parameters length don't match");
|
|
+ pdu->params_len = operand_count;
|
|
+ }
|
|
+
|
|
for (handler = session->control_handlers; handler->pdu_id; handler++) {
|
|
if (handler->pdu_id == pdu->pdu_id)
|
|
break;
|
|
--
|
|
cgit
|