2009-05-13 10:14:04

by Unai Uribarri

[permalink] [raw]
Subject: [PATCH] Fixes buffer overflow when storing too large SDP pdus

sdp_gen_pdu doesn't check if the given buffer is big enough to contain
the requested data. When storing the SDP records returned by several
Nokia phones, the 512 byte array allocated in the stack by sdp_append_to_pdu
gets overflown and causes a segmentation fault.

With this patch, sdp_gen_pdu returns -1 if the buffer is too small and
all the invokers of sdp_gen_pdu will check for errors.

Fixes: https://bugs.launchpad.net/ubuntu/+source/bluez/+bug/332119

PD: This fix is a bit cleaner that previous ones

bluez-sdp-gen-pdu_overflow.diff (3.75 kB)