From b1cf1d94a05dc0c7c2009ffed540d804fc83da61 Mon Sep 17 00:00:00 2001
From: Iain Hibbert <plunky@rya-online.net>
Date: Wed, 17 Feb 2010 18:58:37 +0000
Subject: [PATCH] hcidump: Prevent buffer overruns when parsing invalid OBEX
 frames

---
 tools/parser/obex.c | 47 +++++++++++++++++++++++++++++++++++++++------
 1 file changed, 41 insertions(+), 6 deletions(-)

diff --git a/tools/parser/obex.c b/tools/parser/obex.c
index 133f2a2e3..50b9737cc 100644
--- a/tools/parser/obex.c
+++ b/tools/parser/obex.c
@@ -200,27 +200,55 @@ static void parse_headers(int level, struct frame *frm)
 		printf("%s (0x%02x)", hi2str(hi), hi);
 		switch (hi & 0xc0) {
 		case 0x00:	/* Unicode */
+			if (frm->len < 2) {
+				printf("\n");
+				return;
+			}
+
 			len = get_u16(frm) - 3;
 			printf(" = Unicode length %d\n", len);
+
+			if (frm->len < len)
+				return;
+
 			raw_ndump(level, frm, len);
 			frm->ptr += len;
 			frm->len -= len;
 			break;
 
 		case 0x40:	/* Byte sequence */
+			if (frm->len < 2) {
+				printf("\n");
+				return;
+			}
+
 			len = get_u16(frm) - 3;
 			printf(" = Sequence length %d\n", len);
+
+			if (frm->len < len)
+				return;
+
 			raw_ndump(level, frm, len);
 			frm->ptr += len;
 			frm->len -= len;
 			break;
 
 		case 0x80:	/* One byte */
+			if (frm->len < 1) {
+				printf("\n");
+				return;
+			}
+
 			hv8 = get_u8(frm);
 			printf(" = %d\n", hv8);
 			break;
 
 		case 0xc0:	/* Four bytes */
+			if (frm->len < 4) {
+				printf("\n");
+				return;
+			}
+
 			hv32 = get_u32(frm);
 			printf(" = %u\n", hv32);
 			break;
@@ -276,6 +304,11 @@ void obex_dump(int level, struct frame *frm)
 
 		switch (opcode & 0x7f) {
 		case 0x00:	/* Connect */
+			if (frm->len < 4) {
+				printf("\n");
+				return;
+			}
+
 			version = get_u8(frm);
 			flags   = get_u8(frm);
 			pktlen  = get_u16(frm);
@@ -284,17 +317,19 @@ void obex_dump(int level, struct frame *frm)
 			break;
 
 		case 0x05:	/* SetPath */
-			if (length > 3) {
-				flags     = get_u8(frm);
-				constants = get_u8(frm);
-				printf(" flags %d constants %d\n",
-							flags, constants);
-			} else
+			if (frm->len < 2) {
 				printf("\n");
+				return;
+			}
+
+			flags     = get_u8(frm);
+			constants = get_u8(frm);
+			printf(" flags %d constants %d\n", flags, constants);
 			break;
 
 		default:
 			printf("\n");
+			break;
 		}
 
 		if ((status & 0x70) && (parser.flags & DUMP_VERBOSE)) {
-- 
2.47.3