aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@intel.com>2011-10-06 12:36:49 +0300
committerJohan Hedberg <johan.hedberg@intel.com>2011-10-06 12:36:49 +0300
commit9b42767bec2d176bbd908f29854af957eb6afb3a (patch)
treeffdff861dfe955cabb286040cd3916c6ea3ed59f
parent35530dd57919eafc76254756ed1a9356ef267853 (diff)
downloadbluez-hcidump-9b42767bec2d176bbd908f29854af957eb6afb3a.tar.gz
bluez-hcidump-9b42767bec2d176bbd908f29854af957eb6afb3a.tar.xz
bluez-hcidump-9b42767bec2d176bbd908f29854af957eb6afb3a.zip
Fix crash with invalid L2CAP frame sizes
Reported by Jukka Taimisto <jukka.taimisto@codenomicon.com>
-rw-r--r--parser/l2cap.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/parser/l2cap.c b/parser/l2cap.c
index c2ac10e..6a5a4b2 100644
--- a/parser/l2cap.c
+++ b/parser/l2cap.c
@@ -1094,6 +1094,12 @@ void l2cap_dump(int level, struct frame *frm)
hdr = frm->ptr;
dlen = btohs(hdr->len);
+ if (dlen + L2CAP_HDR_SIZE < (int) frm->len) {
+ /* invalid frame */
+ raw_dump(level,frm);
+ return;
+ }
+
if ((int) frm->len == (dlen + L2CAP_HDR_SIZE)) {
/* Complete frame */
l2cap_parse(level, frm);