From 88cdd5749c491ea26c080f79e1ac5b76b711f32b Mon Sep 17 00:00:00 2001
From: Anderson Lizardo <anderson.lizardo@openbossa.org>
Date: Sat, 11 Jan 2014 00:47:25 -0400
Subject: [PATCH] attrib: Reject incomplete PDU in dec_find_by_type_resp()

Otherwise, an incomplete PDU may be silently accepted (with any
remaining data discarded).
---
 attrib/att.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/attrib/att.c b/attrib/att.c
index d36791860..c279b2ce4 100644
--- a/attrib/att.c
+++ b/attrib/att.c
@@ -334,12 +334,21 @@ GSList *dec_find_by_type_resp(const uint8_t *pdu, size_t len)
 	GSList *matches;
 	off_t offset;
 
+	/* PDU should contain at least:
+	 * - Attribute Opcode (1 octet)
+	 * - Handles Information List (at least one entry):
+	 *   - Found Attribute Handle (2 octets)
+	 *   - Group End Handle (2 octets) */
 	if (pdu == NULL || len < 5)
 		return NULL;
 
 	if (pdu[0] != ATT_OP_FIND_BY_TYPE_RESP)
 		return NULL;
 
+	/* Reject incomplete Handles Information List */
+	if ((len - 1) % 4)
+		return NULL;
+
 	for (offset = 1, matches = NULL;
 				len >= (offset + sizeof(uint16_t) * 2);
 				offset += sizeof(uint16_t) * 2) {
-- 
2.47.3