On Sat, Mar 30, 2019 at 11:44:29PM +0100, Tomas Bortoli wrote:
> Hi,
>
> sorry for the multiple emails but I have checked again the code and
> looks like process_adv_report() reads from ev->data for a size of
> ev->length.
>
> I attach a patch that applies the bound check to both
> hci_le_ext_adv_report_evt() and hci_le_adv_report_evt().
>
You're right that both need to be fixed.
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 609fd6871c5a..275926e0753e 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -5345,6 +5345,7 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
> {
> u8 num_reports = skb->data[0];
> void *ptr = &skb->data[1];
> + u8 *end = &skb->data[skb->len - 1];
^^^^^^^^^^^^
>
> hci_dev_lock(hdev);
>
> @@ -5352,6 +5353,9 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
> struct hci_ev_le_advertising_info *ev = ptr;
> s8 rssi;
>
> + if (ev->data + ev->length > end)
No, this isn't right. You've removed the + 1 and you've introduced an
additional "sbk->len - 1" so we're off by two... The test is supposed
to be:
start + length_read > start + length_of_buffer
So the end has to be &skb->data[skb->len]. The "+ 1" comes from later
in the function when we do:
ptr += sizeof(*ev) + ev->length + 1;
^^^^
I don't where the "+ 1" comes from, but I know the condition and the
increment should match. We could use ev->data instead of
"ptr + sizeof(*ev)" but to me, because the mysterious "+ 1" then it
seems more readable to match the increment exactly...
regards,
dan carpenter
