From c90b7ec0843097a9526b2786aa4ed934da3b7666 Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Mon, 29 Nov 2021 10:24:38 +0100
Subject: [PATCH] obex_parser: handle header with invalid 2-byte length field

---
 src/classic/obex_parser.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/classic/obex_parser.c b/src/classic/obex_parser.c
index 058c21e26..452e6ed8b 100644
--- a/src/classic/obex_parser.c
+++ b/src/classic/obex_parser.c
@@ -159,12 +159,19 @@ obex_parser_object_state_t obex_parser_process_data(obex_parser_t *obex_parser,
                 obex_parser->state = OBEX_PARSER_STATE_W4_HEADER_LEN_SECOND;
                 break;
             case OBEX_PARSER_STATE_W4_HEADER_LEN_SECOND:
-                obex_parser->item_len = obex_parser->item_len + *data_buffer - 3;
-                if ( obex_parser->item_len > 0){
-                    obex_parser->state = OBEX_PARSER_STATE_W4_HEADER_VALUE;
-                } else {
+                obex_parser->item_len = obex_parser->item_len + *data_buffer;
+                if (obex_parser->item_len < 3){
+                    // len to small to even cover header
+                    obex_parser->state = OBEX_PARSER_STATE_INVALID;
+                    break;
+                };
+                if (obex_parser->item_len == 3){
+                    // borderline: empty value
                     obex_parser->state = OBEX_PARSER_STATE_W4_HEADER_ID;
+                    break;
                 }
+                obex_parser->item_len -= 3;
+                obex_parser->state = OBEX_PARSER_STATE_W4_HEADER_VALUE;
                 break;
             case OBEX_PARSER_STATE_W4_HEADER_VALUE:
                 bytes_to_consume = btstack_min(obex_parser->item_len - obex_parser->item_pos, data_len);