From 7cddeb379dcfb3e58f76d98822b4eb62a571e0d9 Mon Sep 17 00:00:00 2001
From: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Date: Wed, 12 Oct 2011 12:11:19 -0300
Subject: [PATCH] AVRCP: Check if len matches number of IDs

If number of attributes remote side provided is larger than the length
we read, we would read garbage from stack memory.
---
 audio/avrcp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/audio/avrcp.c b/audio/avrcp.c
index 0ca91a554..8b4665018 100644
--- a/audio/avrcp.c
+++ b/audio/avrcp.c
@@ -597,12 +597,16 @@ static uint8_t avrcp_handle_get_element_attributes(struct avrcp_player *player,
 	int size;
 	unsigned int i;
 
-	if (len < 8 || *identifier != 0)
+	if (len < 9 || *identifier != 0)
+		goto err;
+
+	nattr = pdu->params[8];
+
+	if (len < nattr * sizeof(uint32_t) + 1)
 		goto err;
 
 	len = 0;
 	pos = 1; /* Keep track of current position in reponse */
-	nattr = pdu->params[8];
 
 	if (!nattr) {
 		/*
-- 
2.47.3