search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ndis(4): Avoid overflow.
[freebsd-src.git] / lib / libsdp / search.c
blobfa2a92d05a61263154163b1f5d5cdb9ce585b8ab
1 /*
2 * search.c
3 *
4 * Copyright (c) 2001-2003 Maksim Yevmenkin <m_evmenkin@yahoo.com>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 * $Id: search.c,v 1.2 2003/09/04 22:12:13 max Exp $
29 * $FreeBSD$
30 */
31
32 #include <sys/uio.h>
33 #include <netinet/in.h>
34 #include <arpa/inet.h>
35 #define L2CAP_SOCKET_CHECKED
36 #include <bluetooth.h>
37 #include <errno.h>
38 #include <stdio.h>
39 #include <stdlib.h>
40 #include <string.h>
41 #include <unistd.h>
42
43 #include <sdp-int.h>
44 #include <sdp.h>
45
46 int32_t
47 sdp_search(void *xss,
48 uint32_t plen, uint16_t const *pp,
49 uint32_t alen, uint32_t const *ap,
50 uint32_t vlen, sdp_attr_t *vp)
51 {
52 struct sdp_xpdu {
53 sdp_pdu_t pdu;
54 uint16_t len;
55 } __attribute__ ((packed)) xpdu;
56
57 sdp_session_p ss = (sdp_session_p) xss;
58 uint8_t *req = NULL, *rsp = NULL, *rsp_tmp = NULL;
59 int32_t t, len;
60 uint16_t lo, hi;
61
62 if (ss == NULL)
63 return (-1);
64
65 if (ss->req == NULL || ss->rsp == NULL ||
66 plen == 0 || pp == NULL || alen == 0 || ap == NULL) {
67 ss->error = EINVAL;
68 return (-1);
69 }
70
71 req = ss->req;
72
73 /* Calculate ServiceSearchPattern length */
74 plen = plen * (sizeof(pp[0]) + 1);
75
76 /* Calculate AttributeIDList length */
77 for (len = 0, t = 0; t < alen; t ++) {
78 lo = (uint16_t) (ap[t] >> 16);
79 hi = (uint16_t) (ap[t]);
80
81 if (lo > hi) {
82 ss->error = EINVAL;
83 return (-1);
84 }
85
86 if (lo != hi)
87 len += (sizeof(ap[t]) + 1);
88 else
89 len += (sizeof(lo) + 1);
90 }
91 alen = len;
92
93 /* Calculate length of the request */
94 len = plen + sizeof(uint8_t) + sizeof(uint16_t) +
95 /* ServiceSearchPattern */
96 sizeof(uint16_t) +
97 /* MaximumAttributeByteCount */
98 alen + sizeof(uint8_t) + sizeof(uint16_t);
99 /* AttributeIDList */
100
101 if (ss->req_e - req < len) {
102 ss->error = ENOBUFS;
103 return (-1);
104 }
105
106 /* Put ServiceSearchPattern */
107 SDP_PUT8(SDP_DATA_SEQ16, req);
108 SDP_PUT16(plen, req);
109 for (; plen > 0; pp ++, plen -= (sizeof(pp[0]) + 1)) {
110 SDP_PUT8(SDP_DATA_UUID16, req);
111 SDP_PUT16(*pp, req);
112 }
113
114 /* Put MaximumAttributeByteCount */
115 SDP_PUT16(0xffff, req);
116
117 /* Put AttributeIDList */
118 SDP_PUT8(SDP_DATA_SEQ16, req);
119 SDP_PUT16(alen, req);
120 for (; alen > 0; ap ++) {
121 lo = (uint16_t) (*ap >> 16);
122 hi = (uint16_t) (*ap);
123
124 if (lo != hi) {
125 /* Put attribute range */
126 SDP_PUT8(SDP_DATA_UINT32, req);
127 SDP_PUT32(*ap, req);
128 alen -= (sizeof(ap[0]) + 1);
129 } else {
130 /* Put attribute */
131 SDP_PUT8(SDP_DATA_UINT16, req);
132 SDP_PUT16(lo, req);
133 alen -= (sizeof(lo) + 1);
134 }
135 }
136
137 /* Submit ServiceSearchAttributeRequest and wait for response */
138 ss->cslen = 0;
139 rsp = ss->rsp;
140
141 do {
142 struct iovec iov[2];
143 uint8_t *req_cs = req;
144
145 /* Add continuation state (if any) */
146 if (ss->req_e - req_cs < ss->cslen + 1) {
147 ss->error = ENOBUFS;
148 return (-1);
149 }
150
151 SDP_PUT8(ss->cslen, req_cs);
152 if (ss->cslen > 0) {
153 memcpy(req_cs, ss->cs, ss->cslen);
154 req_cs += ss->cslen;
155 }
156
157 /* Prepare SDP PDU header */
158 xpdu.pdu.pid = SDP_PDU_SERVICE_SEARCH_ATTRIBUTE_REQUEST;
159 xpdu.pdu.tid = htons(ss->tid);
160 xpdu.pdu.len = htons(req_cs - ss->req);
161
162 /* Submit request */
163 iov[0].iov_base = (void *) &xpdu;
164 iov[0].iov_len = sizeof(xpdu.pdu);
165 iov[1].iov_base = (void *) ss->req;
166 iov[1].iov_len = req_cs - ss->req;
167
168 do {
169 len = writev(ss->s, iov, sizeof(iov)/sizeof(iov[0]));
170 } while (len < 0 && errno == EINTR);
171
172 if (len < 0) {
173 ss->error = errno;
174 return (-1);
175 }
176
177 /* Read response */
178 iov[0].iov_base = (void *) &xpdu;
179 iov[0].iov_len = sizeof(xpdu);
180 iov[1].iov_base = (void *) rsp;
181 iov[1].iov_len = ss->imtu;
182
183 do {
184 len = readv(ss->s, iov, sizeof(iov)/sizeof(iov[0]));
185 } while (len < 0 && errno == EINTR);
186
187 if (len < 0) {
188 ss->error = errno;
189 return (-1);
190 }
191 if (len < sizeof(xpdu)) {
192 ss->error = ENOMSG;
193 return (-1);
194 }
195
196 xpdu.pdu.tid = ntohs(xpdu.pdu.tid);
197 xpdu.pdu.len = ntohs(xpdu.pdu.len);
198 xpdu.len = ntohs(xpdu.len);
199
200 if (xpdu.pdu.pid == SDP_PDU_ERROR_RESPONSE ||
201 xpdu.pdu.tid != ss->tid ||
202 xpdu.pdu.len > len ||
203 xpdu.len > xpdu.pdu.len) {
204 ss->error = EIO;
205 return (-1);
206 }
207
208 rsp += xpdu.len;
209 ss->tid ++;
210
211 /* Save continuation state (if any) */
212 ss->cslen = rsp[0];
213 if (ss->cslen > 0) {
214 if (ss->cslen > sizeof(ss->cs)) {
215 ss->error = ENOBUFS;
216 return (-1);
217 }
218
219 memcpy(ss->cs, rsp + 1, ss->cslen);
220
221 /*
222 * Ensure that we always have ss->imtu bytes
223 * available in the ss->rsp buffer
224 */
225
226 if (ss->rsp_e - rsp <= ss->imtu) {
227 uint32_t size, offset;
228
229 size = ss->rsp_e - ss->rsp + ss->imtu;
230 offset = rsp - ss->rsp;
231
232 rsp_tmp = realloc(ss->rsp, size);
233 if (rsp_tmp == NULL) {
234 ss->error = ENOMEM;
235 return (-1);
236 }
237
238 ss->rsp = rsp_tmp;
239 ss->rsp_e = ss->rsp + size;
240 rsp = ss->rsp + offset;
241 }
242 }
243 } while (ss->cslen > 0);
244
245 /*
246 * If we got here then we have completed SDP transaction and now
247 * we must populate attribute values into vp array. At this point
248 * ss->rsp points to the beginning of the response and rsp points
249 * to the end of the response.
250 *
251 * From Bluetooth v1.1 spec page 364
252 *
253 * The AttributeLists is a data element sequence where each element
254 * in turn is a data element sequence representing an attribute list.
255 * Each attribute list contains attribute IDs and attribute values
256 * from one service record. The first element in each attribute list
257 * contains the attribute ID of the first attribute to be returned for
258 * that service record. The second element in each attribute list
259 * contains the corresponding attribute value. Successive pairs of
260 * elements in each attribute list contain additional attribute ID
261 * and value pairs. Only attributes that have non-null values within
262 * the service record and whose attribute IDs were specified in the
263 * SDP_ServiceSearchAttributeRequest are contained in the AttributeLists
264 * Neither an attribute ID nor attribute value is placed in
265 * AttributeLists for attributes in the service record that have no
266 * value. Within each attribute list, the attributes are listed in
267 * ascending order of attribute ID value.
268 */
269
270 if (vp == NULL)
271 goto done;
272
273 rsp_tmp = ss->rsp;
274
275 /* Skip the first SEQ */
276 SDP_GET8(t, rsp_tmp);
277 switch (t) {
278 case SDP_DATA_SEQ8:
279 SDP_GET8(len, rsp_tmp);
280 break;
281
282 case SDP_DATA_SEQ16:
283 SDP_GET16(len, rsp_tmp);
284 break;
285
286 case SDP_DATA_SEQ32:
287 SDP_GET32(len, rsp_tmp);
288 break;
289
290 default:
291 ss->error = ENOATTR;
292 return (-1);
293 /* NOT REACHED */
294 }
295
296 for (; rsp_tmp < rsp && vlen > 0; ) {
297 /* Get set of attributes for the next record */
298 SDP_GET8(t, rsp_tmp);
299 switch (t) {
300 case SDP_DATA_SEQ8:
301 SDP_GET8(len, rsp_tmp);
302 break;
303
304 case SDP_DATA_SEQ16:
305 SDP_GET16(len, rsp_tmp);
306 break;
307
308 case SDP_DATA_SEQ32:
309 SDP_GET32(len, rsp_tmp);
310 break;
311
312 default:
313 ss->error = ENOATTR;
314 return (-1);
315 /* NOT REACHED */
316 }
317
318 /* Now rsp_tmp points to list of (attr,value) pairs */
319 for (; len > 0 && vlen > 0; vp ++, vlen --) {
320 /* Attribute */
321 SDP_GET8(t, rsp_tmp);
322 if (t != SDP_DATA_UINT16) {
323 ss->error = ENOATTR;
324 return (-1);
325 }
326 SDP_GET16(vp->attr, rsp_tmp);
327
328 /* Attribute value */
329 switch (rsp_tmp[0]) {
330 case SDP_DATA_NIL:
331 alen = 0;
332 break;
333
334 case SDP_DATA_UINT8:
335 case SDP_DATA_INT8:
336 case SDP_DATA_BOOL:
337 alen = sizeof(uint8_t);
338 break;
339
340 case SDP_DATA_UINT16:
341 case SDP_DATA_INT16:
342 case SDP_DATA_UUID16:
343 alen = sizeof(uint16_t);
344 break;
345
346 case SDP_DATA_UINT32:
347 case SDP_DATA_INT32:
348 case SDP_DATA_UUID32:
349 alen = sizeof(uint32_t);
350 break;
351
352 case SDP_DATA_UINT64:
353 case SDP_DATA_INT64:
354 alen = sizeof(uint64_t);
355 break;
356
357 case SDP_DATA_UINT128:
358 case SDP_DATA_INT128:
359 case SDP_DATA_UUID128:
360 alen = sizeof(uint128_t);
361 break;
362
363 case SDP_DATA_STR8:
364 case SDP_DATA_URL8:
365 case SDP_DATA_SEQ8:
366 case SDP_DATA_ALT8:
367 alen = rsp_tmp[1] + sizeof(uint8_t);
368 break;
369
370 case SDP_DATA_STR16:
371 case SDP_DATA_URL16:
372 case SDP_DATA_SEQ16:
373 case SDP_DATA_ALT16:
374 alen = ((uint16_t)rsp_tmp[1] << 8)
375 | ((uint16_t)rsp_tmp[2]);
376 alen += sizeof(uint16_t);
377 break;
378
379 case SDP_DATA_STR32:
380 case SDP_DATA_URL32:
381 case SDP_DATA_SEQ32:
382 case SDP_DATA_ALT32:
383 alen = ((uint32_t)rsp_tmp[1] << 24)
384 | ((uint32_t)rsp_tmp[2] << 16)
385 | ((uint32_t)rsp_tmp[3] << 8)
386 | ((uint32_t)rsp_tmp[4]);
387 alen += sizeof(uint32_t);
388 break;
389
390 default:
391 ss->error = ENOATTR;
392 return (-1);
393 /* NOT REACHED */
394 }
395
396 alen += sizeof(uint8_t);
397
398 if (vp->value != NULL) {
399 if (alen <= vp->vlen) {
400 vp->flags = SDP_ATTR_OK;
401 vp->vlen = alen;
402 } else
403 vp->flags = SDP_ATTR_TRUNCATED;
404
405 memcpy(vp->value, rsp_tmp, vp->vlen);
406 } else
407 vp->flags = SDP_ATTR_INVALID;
408
409 len -= (
410 sizeof(uint8_t) + sizeof(uint16_t) +
411 alen
412 );
413
414 rsp_tmp += alen;
415 }
416 }
417 done:
418 ss->error = 0;
419
420 return (0);
421 }
422
FreeBSD src