Hi Andrei,
> Remove unneeded skb_pull and correct packet length calculation
> removing magic number.
> ---
> net/bluetooth/hci_event.c | 5 ++---
> 1 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index cfccf7e..21c1bf0 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -2268,8 +2268,6 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s
> struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
> int i;
>
> - skb_pull(skb, sizeof(*ev));
> -
> BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
>
> if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
> @@ -2277,7 +2275,8 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s
> return;
> }
>
> - if (skb->len < ev->num_hndl * 4) {
> + if (skb->len < ev->num_hndl * sizeof(struct hci_comp_pkts_info) +
> + sizeof(*ev)) {
> BT_DBG("%s bad parameters", hdev->name);
> return;
> }
actually this check is not enough. You need to make this two-fold.
if (skb->len < sizeof(*ev)) {
...
return;
}
This needs to be checked first. Otherwise you are accessing ev->num_hndl
before even knowing that it is valid. A malicious device could otherwise
sneak in some weird behavior.
Regards
Marcel
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
