From d356a6242be9a1aba2cca871b79618e3b28a5ec2 Mon Sep 17 00:00:00 2001 From: Luiz Augusto von Dentz Date: Thu, 17 Nov 2016 15:59:42 +0200 Subject: [PATCH] core/advertising: Fix crash when passing invalid dictionary We expect dict entries to have a{sv} format but the code don't check if the entries really encode the variant which may lead to a crash in dbus_message_iter_recurse. --- src/advertising.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/advertising.c b/src/advertising.c index ef84e45d3..e7840bf55 100644 --- a/src/advertising.c +++ b/src/advertising.c @@ -298,6 +298,10 @@ static bool parse_advertising_manufacturer_data(GDBusProxy *proxy, dbus_message_iter_get_basic(&entry, &manuf_id); dbus_message_iter_next(&entry); + + if (dbus_message_iter_get_arg_type(&entry) != DBUS_TYPE_VARIANT) + goto fail; + dbus_message_iter_recurse(&entry, &value); if (dbus_message_iter_get_arg_type(&value) != DBUS_TYPE_ARRAY) @@ -356,6 +360,10 @@ static bool parse_advertising_service_data(GDBusProxy *proxy, goto fail; dbus_message_iter_next(&entry); + + if (dbus_message_iter_get_arg_type(&entry) != DBUS_TYPE_VARIANT) + goto fail; + dbus_message_iter_recurse(&entry, &value); if (dbus_message_iter_get_arg_type(&value) != DBUS_TYPE_ARRAY) -- 2.47.3