sdp: Fix ineffective error guard The return value from gen_attridseq_pdu() can be -ENOMEM or the always positive return value from sdp_gen_pdu(), but we only guard against a single negative return value "-1" (-EPERM). Check for all negative values to avoid manipulating a negative length as a valid one. Error: INTEGER_OVERFLOW (CWE-190): [#def10] [important] lib/sdp.c:4097:2: overflow_sink: "t->reqsize + cstate_len", which might have underflowed, is passed to "sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len)". 4095| reqhdr->plen = htons((t->reqsize + cstate_len) - sizeof(sdp_pdu_hdr_t)); 4096| 4097|-> if (sdp_send_req(session, t->reqbuf, t->reqsize + cstate_len) < 0) { 4098| SDPERR("Error sending data:%m"); 4099| t->err = errno; Error: INTEGER_OVERFLOW (CWE-190): [#def11] [important] lib/sdp.c:4492:3: overflow_sink: "reqsize", which might have underflowed, is passed to "sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize)". 4490| reqhdr->plen = htons(reqsize - sizeof(sdp_pdu_hdr_t)); 4491| rsphdr = (sdp_pdu_hdr_t *) rspbuf; 4492|-> status = sdp_send_req_w4_rsp(session, reqbuf, rspbuf, reqsize, &rspsize); 4493| if (rspsize < sizeof(sdp_pdu_hdr_t)) { 4494| SDPERR("Unexpected end of packet");

Diffstat

1 files changed, 4 insertions(+), 4 deletions(-)