Hi Szymon,
On Wed, Feb 23, 2011, Szymon Janc wrote:
> Crafted (too small) data buffer could result in reading data outside of buffer.
> Validate buffer size and return EINVAL if size is wrong..
>
> Signed-off-by: Szymon Janc <szymon.janc@xxxxxxxxx>
The patch looks good, except for this part:
> @@ -1170,6 +1219,10 @@ static int user_confirm_reply(struct sock *sk, u16 index, unsigned char *data,
>
> BT_DBG("");
>
> + if (len != sizeof(*cp))
> + return cmd_status(sk, index, MGMT_OP_USER_CONFIRM_REPLY,
> + EINVAL);
> +
> if (success) {
> mgmt_op = MGMT_OP_USER_CONFIRM_REPLY;
> hci_op = HCI_OP_USER_CONFIRM_REPLY;
Note that this function is also used for the negative reply so you can't
hard-code the MGMT_OP_USER_CONFIRM_REPLY in the cmd_status. Instead move
the if (success) part earlier in the function and then use mgmt_op for
the cmd_status.
When that's fixed:
Acked-by: Johan Hedberg <johan.hedberg@xxxxxxxxx>
Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
