diff options
| author |   Aleksander Morgado <aleksander@lanedo.com> | 2012-09-24 12:08:27 +0200 |
|---|---|---|
| committer | Aleksander Morgado <aleksander@lanedo.com> | 2012-09-24 12:08:27 +0200 |
| commit | ec138d4f8d74c3c3bc5b3989d927d63f48c4386c (patch) | |
| tree | b9af086fe70c4593e0c1626263b579e5d3b94d90 | |
| parent | 170d8548e71509b6eca5e1d27cc19a38e3c06d62 (diff) | |
qmi-message: fix minimum size of buffer needed to read a QMI message
The buffer must contain *at least* the initial 1-byte marker plus the length
reported by the QMUX header. The minimum size check was wrong for 2 bytes, which
could cause errors when trying to decode a message without all bytes.
Can easily be triggered using 1 for the BUFFER_SIZE in QmiDevice.
| -rw-r--r-- | libqmi-glib/qmi-message.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/libqmi-glib/qmi-message.c b/libqmi-glib/qmi-message.c index 6d4e58b..c693d2e 100644 --- a/libqmi-glib/qmi-message.c +++ b/libqmi-glib/qmi-message.c @@ -570,14 +570,15 @@ qmi_message_new_from_raw (const guint8 *raw, QmiMessage *self; gsize message_len; - /* If we didn't even read the header, leave */ + /* If we didn't even read the QMUX header (comes after the 1-byte marker), + * leave */ if (raw_len < (sizeof (struct qmux) + 1)) return NULL; - /* We need to have read the length reported by the header. - * Otherwise, return. */ - message_len = le16toh (((struct full_message *)raw)->qmux.length); - if (raw_len < (message_len - 1)) + /* We need to have read the length reported by the QMUX header (plus the + * initial 1-byte marker) */ + message_len = GUINT16_FROM_LE (((struct full_message *)raw)->qmux.length); + if (raw_len < (message_len + 1)) return NULL; /* Ok, so we should have all the data available already */ |