[src/trunk]: src/lib/libbluetooth Don't add the passed in 'len' value while t...

[plunky <plunky%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/46237dda9a6f
branches:  trunk
changeset: 763854:46237dda9a6f
user:      plunky <plunky%NetBSD.org@localhost>
date:      Tue Apr 05 18:19:04 2011 +0000

description:
Don't add the passed in 'len' value while testing if the data
space is large enough, to handle the edge case where len is
large (up to SSIZE_MAX may be valid on some machines) causing
pointers to wrap around and the fail condition to be missed.

diffstat:

 lib/libbluetooth/sdp_put.c |  12 ++++++------
 lib/libbluetooth/sdp_set.c |  10 +++++-----
 2 files changed, 11 insertions(+), 11 deletions(-)

diffs (97 lines):

diff -r 49262ccd8409 -r 46237dda9a6f lib/libbluetooth/sdp_put.c
--- a/lib/libbluetooth/sdp_put.c        Tue Apr 05 17:17:35 2011 +0000
+++ b/lib/libbluetooth/sdp_put.c        Tue Apr 05 18:19:04 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sdp_put.c,v 1.4 2011/04/04 19:51:33 plunky Exp $       */
+/*     $NetBSD: sdp_put.c,v 1.5 2011/04/05 18:19:04 plunky Exp $       */
 
 /*-
  * Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: sdp_put.c,v 1.4 2011/04/04 19:51:33 plunky Exp $");
+__RCSID("$NetBSD: sdp_put.c,v 1.5 2011/04/05 18:19:04 plunky Exp $");
 
 #include <bluetooth.h>
 #include <limits.h>
@@ -51,7 +51,7 @@
 
        len = value->end - value->next;
 
-       if (data->next + len > data->end)
+       if (len > data->end - data->next)
                return false;
 
        memcpy(data->next, value->next, (size_t)len);
@@ -304,21 +304,21 @@
                return false;
 
        if ((size_t)len > UINT16_MAX) {
-               if (p + 5 + len > data->end)
+               if (len > data->end - 5 - p)
                        return false;
 
                p[0] = type | SDP_DATA_EXT32;
                be32enc(p + 1, (uint32_t)len);
                p += 5;
        } else if ((size_t)len > UINT8_MAX) {
-               if (p + 3 + len > data->end)
+               if (len > data->end - 3 - p)
                        return false;
 
                p[0] = type | SDP_DATA_EXT16;
                be16enc(p + 1, (uint16_t)len);
                p += 3;
        } else {
-               if (p + 2 + len > data->end)
+               if (len > data->end - 2 - p)
                        return false;
 
                p[0] = type | SDP_DATA_EXT8;
diff -r 49262ccd8409 -r 46237dda9a6f lib/libbluetooth/sdp_set.c
--- a/lib/libbluetooth/sdp_set.c        Tue Apr 05 17:17:35 2011 +0000
+++ b/lib/libbluetooth/sdp_set.c        Tue Apr 05 18:19:04 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sdp_set.c,v 1.2 2009/05/14 19:12:45 plunky Exp $       */
+/*     $NetBSD: sdp_set.c,v 1.3 2011/04/05 18:19:04 plunky Exp $       */
 
 /*-
  * Copyright (c) 2009 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: sdp_set.c,v 1.2 2009/05/14 19:12:45 plunky Exp $");
+__RCSID("$NetBSD: sdp_set.c,v 1.3 2011/04/05 18:19:04 plunky Exp $");
 
 #include <bluetooth.h>
 #include <limits.h>
@@ -187,7 +187,7 @@
                                return false;
 
                        len = data->end - p - 1;
-               } else if (p + 1 + len > data->end)
+               } else if (len > data->end - 1 - p)
                        return false;
 
                if (len > UINT8_MAX)
@@ -202,7 +202,7 @@
                                return false;
 
                        len = data->end - p - 2;
-               } else if (p + 2 + len > data->end)
+               } else if (len > data->end - 2 - p)
                        return false;
 
                if (len > UINT16_MAX)
@@ -217,7 +217,7 @@
                                return false;
 
                        len = data->end - p - 4;
-               } else if (p + 4 + len > data->end)
+               } else if (len > data->end - 4 - p)
                        return false;
 
                if ((size_t)len > UINT32_MAX)