Hi Andrei, > Remove unneeded skb_pull and correct packet length calculation > removing magic number. > --- > net/bluetooth/hci_event.c | 5 ++--- > 1 files changed, 2 insertions(+), 3 deletions(-) > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index cfccf7e..21c1bf0 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -2268,8 +2268,6 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s > struct hci_ev_num_comp_pkts *ev = (void *) skb->data; > int i; > > - skb_pull(skb, sizeof(*ev)); > - > BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); > > if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { > @@ -2277,7 +2275,8 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s > return; > } > > - if (skb->len < ev->num_hndl * 4) { > + if (skb->len < ev->num_hndl * sizeof(struct hci_comp_pkts_info) + > + sizeof(*ev)) { > BT_DBG("%s bad parameters", hdev->name); > return; > } actually this check is not enough. You need to make this two-fold. if (skb->len < sizeof(*ev)) { ... return; } This needs to be checked first. Otherwise you are accessing ev->num_hndl before even knowing that it is valid. A malicious device could otherwise sneak in some weird behavior. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html