From 27a52a9ccb33aecfd75890841c9333ca6b1db809 Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Fri, 27 May 2011 11:37:24 +0300
Subject: [PATCH] Fix possible buffer overflow when sending avdtp commands

Buffer size should be as big as the maximum of imtu and omtu, otherwise
it may overflow when sending messages which are bigger then imtu.
---
 audio/avdtp.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/audio/avdtp.c b/audio/avdtp.c
index e6407bbe5..252810e8a 100644
--- a/audio/avdtp.c
+++ b/audio/avdtp.c
@@ -61,6 +61,10 @@
 
 #define MAX_SEID 0x3E
 
+#ifndef MAX
+# define MAX(x, y) ((x) > (y) ? (x) : (y))
+#endif
+
 #define AVDTP_DISCOVER				0x01
 #define AVDTP_GET_CAPABILITIES			0x02
 #define AVDTP_SET_CONFIGURATION			0x03
@@ -2348,7 +2352,7 @@ static void avdtp_connect_cb(GIOChannel *chan, GError *err, gpointer user_data)
 	if (session->state == AVDTP_SESSION_STATE_CONNECTING) {
 		DBG("AVDTP imtu=%u, omtu=%u", session->imtu, session->omtu);
 
-		session->buf = g_malloc0(session->imtu);
+		session->buf = g_malloc0(MAX(session->imtu, session->omtu));
 		avdtp_set_state(session, AVDTP_SESSION_STATE_CONNECTED);
 
 		if (session->io_id)
-- 
2.47.3