Hi Szymon, >>> Those could lead to reading invalid memory if frames were corrupted. >>> --- >>> monitor/packet.c | 10 +++++----- >>> 1 file changed, 5 insertions(+), 5 deletions(-) >>> >>> diff --git a/monitor/packet.c b/monitor/packet.c >>> index ba58d84..56a315b 100644 >>> --- a/monitor/packet.c >>> +++ b/monitor/packet.c >>> @@ -8204,7 +8204,7 @@ static const struct event_data event_table[] = { >>> >>> { 0x01, "Inquiry Complete", >>> >>> inquiry_complete_evt, 1, true }, >>> >>> { 0x02, "Inquiry Result", >>> >>> - inquiry_result_evt, 1, false }, >>> + inquiry_result_evt, 8, false }, >> >> these are wrong. That is why fixed size is set to false here. It means that >> the callback function needs to ensure we do the right checks. If we don't, >> please with the callback functions. > > If fixed==false then passed size is minimum required size and all callbacks > are expecting those. > > From packet_hci_event() > > if (event_data->fixed) { > if (hdr->plen != event_data->size) { > print_text(COLOR_ERROR, "invalid packet size"); > packet_hexdump(data, size); > return; > } > } else { > if (hdr->plen < event_data->size) { > print_text(COLOR_ERROR, "too short packet"); > packet_hexdump(data, size); > return; > } > } > > event_data->func(data, hdr->plen); yes exactly. And the minimum size for inquiry results is 1 octet. The num can be actually 0. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html