gatt-client: Check length of notify multiple op

Check that specfied length of value in received data does not exceed
length of PDU. Otherwise data may be read from beyond the end of the
buffer.

Signed-off-by: Anuj Jain <anuj01.jain@samsung.com>
Signed-off-by: Ayush Garg <ayush.garg@samsung.com>

diff --git a/src/shared/gatt-client.c b/src/shared/gatt-client.c
index 71bd380..50e9537 100644 (file)
--- a/src/shared/gatt-client.c
+++ b/src/shared/gatt-client.c
@@ -2431,6 +2431,9 @@ static void notify_cb(struct bt_att_chan *chan, uint8_t opcode,
                        length -= 2;
                        pdu += 2;
 
+                       if (data.len > length)
+                               data.len = length;
+
                        data.data = pdu;
 
                        queue_foreach(client->notify_list, notify_handler,