Check util_iov_pull_mem where iov len is not verified
beforehand. Check vcp_get_vcs for NULL.
These changes are based on other usages where those
checks exist.
---
src/shared/bap.c | 23 +++++++++++++++++++++++
src/shared/vcp.c | 3 +++
2 files changed, 26 insertions(+)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 76340d565..a866f4cdc 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -7457,6 +7457,11 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
codec = util_iov_pull_mem(iov, sizeof(*codec));
+ if (!codec) {
+ ret = false;
+ goto done;
+ }
+
util_debug(func, NULL, "Codec: ID %d CID 0x%2.2x VID 0x%2.2x",
codec->id, codec->cid, codec->vid);
@@ -7468,6 +7473,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
}
l2_cc.iov_base = util_iov_pull_mem(iov, l2_cc_len);
+
+ if (!l2_cc.iov_base) {
+ ret = false;
+ goto done;
+ }
+
l2_cc.iov_len = l2_cc_len;
/* Print Codec Specific Configuration */
@@ -7482,6 +7493,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
}
meta.iov_base = util_iov_pull_mem(iov, meta_len);
+
+ if (!meta.iov_base) {
+ ret = false;
+ goto done;
+ }
+
meta.iov_len = meta_len;
/* Print Metadata */
@@ -7512,6 +7529,12 @@ bool bt_bap_parse_base(uint8_t sid, struct iovec *iov,
l3_cc.iov_base = util_iov_pull_mem(iov,
l3_cc_len);
+
+ if (!l3_cc.iov_base) {
+ ret = false;
+ goto done;
+ }
+
l3_cc.iov_len = l3_cc_len;
/* Print Codec Specific Configuration */
diff --git a/src/shared/vcp.c b/src/shared/vcp.c
index c96ad4376..a13b9d953 100644
--- a/src/shared/vcp.c
+++ b/src/shared/vcp.c
@@ -2934,6 +2934,9 @@ static void foreach_vcs_service(struct gatt_db_attribute *attr,
struct bt_vcp *vcp = user_data;
struct bt_vcs *vcs = vcp_get_vcs(vcp);
+ if (!vcs)
+ return;
+
vcs->service = attr;
gatt_db_service_set_claimed(attr, true);
--
2.34.1
