From 1796f00e846561af80679efba4d7c36c78710fb6 Mon Sep 17 00:00:00 2001
From: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date: Sun, 3 Feb 2013 21:20:44 -0400
Subject: [PATCH] lib: Add range check for
 SDP_SVC_ATTR_RSP/SDP_SVC_SEARCH_ATTR_RSP

According to SDP spec, the byte count fields for these PDUs have a valid
range of 0x0002-0xFFFF.
---
 lib/sdp.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/sdp.c b/lib/sdp.c
index 7ab7379b5..e1943dd33 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -4169,6 +4169,14 @@ int sdp_process(sdp_session_t *session)
 		rsp_count = bt_get_be16(pdata);
 		SDPDBG("Attrlist byte count : %d\n", rsp_count);
 
+		/* Valid range for rsp_count is 0x0002-0xFFFF */
+		if (rsp_count < 0x0002) {
+			t->err = EPROTO;
+			SDPERR("Protocol error: invalid AttrList size");
+			status = SDP_INVALID_PDU_SIZE;
+			goto end;
+		}
+
 		/*
 		 * Number of bytes in the AttributeLists parameter(without
 		 * continuation state) + AttributeListsByteCount field size.
-- 
2.47.3