Check the length of output parameter

author Cheoleun Moon <chleun.moon@samsung.com>

Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)

committer Cheoleun Moon <chleun.moon@samsung.com>

Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)
author Cheoleun Moon <chleun.moon@samsung.com>
Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)
committer Cheoleun Moon <chleun.moon@samsung.com>
Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)
diff --git a/src/wifi-aware-private.c b/src/wifi-aware-private.c

index fcc5506..67af6a5 100644 (file)
--- a/src/wifi-aware-private.c
+++ b/src/wifi-aware-private.c
@@ -1065,6 +1065,11 @@ static void __service_discovered_cb(GDBusConnection *connection,
                         &sub_id, &peer_id, peer_mac,
                         specific_info, &specific_info_len);
  
+       if (specific_info_len > WIFI_AWARE_MAX_SERVICE_SPECIFIC_INFO_LEN) {
+               WIFI_AWARE_LOGE("Too long service specific info");
+               return;
+       }
+
         uint16_t session_pub_sub_id = _wifi_aware_session_get_pub_sub_id(session);
         if (sub_id == 0 || session_pub_sub_id != sub_id) {
                 WIFI_AWARE_LOGE("Invalid subscribe ID (%u:%u)", session_pub_sub_id, sub_id);
@@ -1099,6 +1104,10 @@ static void __message_received_cb(GDBusConnection *connection,
  
         __parsing_message_received_event(parameters, &peer_id, peer_mac,
                         message, &message_len);
+       if (message_len > WIFI_AWARE_MAX_SERVICE_SPECIFIC_INFO_LEN) {
+               WIFI_AWARE_LOGE("Too long message %u", message_len);
+               return;
+       }
  
         WIFI_AWARE_LOGD("Peer ID: %u", peer_id);
         if (__get_peer_handle(peer_id, &peer) != WIFI_AWARE_ERROR_NONE) {
author	Cheoleun Moon <chleun.moon@samsung.com>
	Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)
committer	Cheoleun Moon <chleun.moon@samsung.com>
	Thu, 2 Apr 2020 10:21:24 +0000 (19:21 +0900)