Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Bluetooth: Check for minimum data length in eir_has_data_type()

Browse source 
If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
This commit is contained in:
Johan Hedberg 2012-03-26 14:21:42 +03:00 committed by Gustavo Padovan
parent 84d9d0716b
commit 6c0c331e4c
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
include/net/bluetooth/hci_core.h
View file

@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
{
size_t parsed = 0;
if (data_len < 2)
return false;
while (parsed < data_len - 1) {
u8 field_len = data[0];