6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@xxxxxxxxxx>
commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream.
Add the missing sanity check when fetching the board id to avoid leaking
slab data when later requesting the firmware.
Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066")
Cc: stable@xxxxxxxxxxxxxxx # 6.7
Cc: Tim Jiang <quic_tjiang@xxxxxxxxxxx>
Signed-off-by: Johan Hovold <johan+linaro@xxxxxxxxxx>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/bluetooth/btqca.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -235,6 +235,11 @@ static int qca_read_fw_board_id(struct h
goto out;
}
+ if (skb->len < 3) {
+ err = -EILSEQ;
+ goto out;
+ }
+
*bid = (edl->data[1] << 8) + edl->data[2];
bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
