mirror/btstack
1
0
Fork 0
mirror of https://github.com/bluekitchen/btstack.git synced 2025-04-01 22:20:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

avrcp_browsing_controller: check size, #337

Browse Source
This commit is contained in:
Matthias Ringwald 2021-02-25 18:01:08 +01:00
parent 45f043bab0
commit a912d067c8
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/classic/avrcp_browsing_controller.c
View File

@ -373,11 +373,12 @@ static void avrcp_browsing_controller_emit_failed(btstack_packet_handler_t callb
static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){ static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16_t channel, uint8_t *packet, uint16_t size){
avrcp_browsing_connection_t * browsing_connection; avrcp_browsing_connection_t * browsing_connection;
uint8_t transport_header; uint8_t transport_header;
int pos; uint32_t pos;
switch (packet_type) { switch (packet_type) {
case L2CAP_DATA_PACKET: case L2CAP_DATA_PACKET:
browsing_connection = avrcp_get_browsing_connection_for_l2cap_cid_for_role(AVRCP_CONTROLLER, channel); browsing_connection = avrcp_get_browsing_connection_for_l2cap_cid_for_role(AVRCP_CONTROLLER, channel);
if (!browsing_connection) break; if (!browsing_connection) break;
if (size < 6) break;
pos = 0; pos = 0;
transport_header = packet[pos++]; transport_header = packet[pos++];
// Transaction label | Packet_type | C/R | IPID (1 == invalid profile identifier) // Transaction label | Packet_type | C/R | IPID (1 == invalid profile identifier)
@ -420,6 +421,8 @@ static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16
case AVRCP_PDU_ID_GET_TOTAL_NUMBER_OF_ITEMS: case AVRCP_PDU_ID_GET_TOTAL_NUMBER_OF_ITEMS:
break; break;
case AVRCP_PDU_ID_SET_BROWSED_PLAYER: case AVRCP_PDU_ID_SET_BROWSED_PLAYER:
if ((pos + 9) > size) break;
browsing_connection->uid_counter = big_endian_read_16(packet, pos); browsing_connection->uid_counter = big_endian_read_16(packet, pos);
pos += 2; pos += 2;
// num_items // num_items
@ -429,9 +432,11 @@ static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16
folder_depth = packet[pos++]; folder_depth = packet[pos++];
for (i = 0; i < folder_depth; i++){ for (i = 0; i < folder_depth; i++){
if ((pos + 2) > size) return;
uint16_t folder_name_length = big_endian_read_16(packet, pos); uint16_t folder_name_length = big_endian_read_16(packet, pos);
pos += 2; pos += 2;
// reuse packet and add data type as a header // reuse packet and add data type as a header
if ((pos + folder_name_length) > size) return;
packet[pos-1] = AVRCP_BROWSING_MEDIA_ROOT_FOLDER; packet[pos-1] = AVRCP_BROWSING_MEDIA_ROOT_FOLDER;
(*avrcp_controller_context.browsing_avrcp_callback)(AVRCP_BROWSING_DATA_PACKET, channel, packet+pos-1, folder_name_length+1); (*avrcp_controller_context.browsing_avrcp_callback)(AVRCP_BROWSING_DATA_PACKET, channel, packet+pos-1, folder_name_length+1);
pos += folder_name_length; pos += folder_name_length;
@ -442,6 +447,7 @@ static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16
switch (avctp_packet_type){ switch (avctp_packet_type){
case AVRCP_SINGLE_PACKET: case AVRCP_SINGLE_PACKET:
case AVRCP_START_PACKET: case AVRCP_START_PACKET:
if ((pos + 4) > size) return;
avrcp_parser_reset(browsing_connection); avrcp_parser_reset(browsing_connection);
browsing_connection->uid_counter = big_endian_read_16(packet, pos); browsing_connection->uid_counter = big_endian_read_16(packet, pos);
pos += 2; pos += 2;
@ -464,6 +470,7 @@ static void avrcp_browsing_controller_packet_handler(uint8_t packet_type, uint16
break; break;
} }
case AVRCP_PDU_ID_SEARCH: case AVRCP_PDU_ID_SEARCH:
if ((pos + 2) > size) return;
browsing_connection->uid_counter = big_endian_read_16(packet, pos); browsing_connection->uid_counter = big_endian_read_16(packet, pos);
pos += 2; pos += 2;
break; break;