From 24dee5c4b69ae8d6682622c6cbb69cd4d9742ff0 Mon Sep 17 00:00:00 2001
From: Jukka Taimisto <jukka.taimisto@codenomicon.com>
Date: Thu, 8 Jan 2015 13:49:29 +0200
Subject: [PATCH] shared/gatt: Fix divide by zero error

When Read By Group Type Response or Read By Type Response is received,
verify the length field value before checking if the list size is
multiple of the length field. If the length field value is not checked
receiving Read By Group Type Response or Read By Type Response with
0 as length field value will cause bluetoothd to die with divide by
zero error.
---
 src/shared/gatt-helpers.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/shared/gatt-helpers.c b/src/shared/gatt-helpers.c
index c6e179c76..3864ed073 100644
--- a/src/shared/gatt-helpers.c
+++ b/src/shared/gatt-helpers.c
@@ -655,8 +655,8 @@ static void read_by_grp_type_cb(uint8_t opcode, const void *pdu,
 	data_length = ((uint8_t *) pdu)[0];
 	list_length = length - 1;
 
-	if ((list_length % data_length) ||
-				(data_length != 6 && data_length != 20)) {
+	if ((data_length != 6 && data_length != 20) ||
+					(list_length % data_length)) {
 		success = false;
 		goto done;
 	}
@@ -1187,8 +1187,8 @@ static void discover_chrcs_cb(uint8_t opcode, const void *pdu,
 
 	data_length = ((uint8_t *) pdu)[0];
 
-	if (((length - 1) % data_length) ||
-			(data_length != 7 && data_length != 21)) {
+	if ((data_length != 7 && data_length != 21) ||
+					((length - 1) % data_length)) {
 		success = false;
 		goto done;
 	}
-- 
2.47.3