Add the prevent logic for the abnormal manufacture data

author DoHyun Pyun <dh79.pyun@samsung.com>

Thu, 16 May 2019 04:11:28 +0000 (13:11 +0900)

committer DoHyun Pyun <dh79.pyun@samsung.com>

Fri, 17 May 2019 00:15:58 +0000 (09:15 +0900)
author DoHyun Pyun <dh79.pyun@samsung.com>
Thu, 16 May 2019 04:11:28 +0000 (13:11 +0900)
committer DoHyun Pyun <dh79.pyun@samsung.com>
Fri, 17 May 2019 00:15:58 +0000 (09:15 +0900)
diff --git a/src/bluetooth-adapter.c b/src/bluetooth-adapter.c

index 0eee5e7..77ef92a 100644 (file)
--- a/src/bluetooth-adapter.c
+++ b/src/bluetooth-adapter.c
@@ -3152,6 +3152,19 @@ int bt_adapter_le_get_scan_result_manufacturer_data(const bt_adapter_le_device_s
         while (remain_len > 0) {
                 field_len = remain_data[0];
                 if (remain_data[1] == BT_ADAPTER_LE_ADVERTISING_DATA_MANUFACTURER_SPECIFIC_DATA) {
+                       if (field_len < 3 || (remain_len - 1 < field_len)) {
+                               /* Manufacturer Specific Data (2 or more octets)
+                                   - The first 2 octets contain the Company Identifier
+                                     Code followed by additional manufacturer specific data
+
+                                  |field_len|0xff|Company ID (2 bytes)|data (size: field_len - 3|
+
+                                  And field_len should be smaller than "remain_len - 1"
+                               */
+
+                               return BT_ERROR_NO_DATA;
+                       }
+
                         *manufacturer_id = remain_data[3] << 8;
                         *manufacturer_id += remain_data[2];
author	DoHyun Pyun <dh79.pyun@samsung.com>
	Thu, 16 May 2019 04:11:28 +0000 (13:11 +0900)
committer	DoHyun Pyun <dh79.pyun@samsung.com>
	Fri, 17 May 2019 00:15:58 +0000 (09:15 +0900)