Bluetooth: Fix validating IO capability values in mgmt commands
The valid range of IO capabilities for the Set IO Capability and Pair Device mgmt commands is 0-4 (4 being the KeyboarDisplay capability for SMP). We should return an invalid parameters error if user space gives us a value outside of this range. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
8ba8b4c05c
commit
4ec86d4c86
1 changed files with 9 additions and 0 deletions
|
@ -2766,6 +2766,10 @@ static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
|
|||
|
||||
BT_DBG("");
|
||||
|
||||
if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
|
||||
return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
|
||||
MGMT_STATUS_INVALID_PARAMS, NULL, 0);
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
|
||||
hdev->io_capability = cp->io_capability;
|
||||
|
@ -2878,6 +2882,11 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
|
|||
MGMT_STATUS_INVALID_PARAMS,
|
||||
&rp, sizeof(rp));
|
||||
|
||||
if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
|
||||
return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
|
||||
MGMT_STATUS_INVALID_PARAMS,
|
||||
&rp, sizeof(rp));
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
|
||||
if (!hdev_is_powered(hdev)) {
|
||||
|
|
Loading…
Reference in a new issue