Bluetooth: Fix potential buffer overflow with Add Advertising
The Add Advertising command handler does the appropriate checks for the AD and Scan Response data, however fails to take into account the general length of the mgmt command itself, which could lead to potential buffer overflows. This patch adds the necessary check that the mgmt command length is consistent with the given ad and scan_rsp lengths. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org
This commit is contained in:
Johan Hedberg
Marcel Holtmann
parent
6a19cc8c89
commit
6a0e78072c
|
|
@ -5995,6 +5995,10 @@ static int add_advertising(struct sock *sk, struct hci_dev *hdev,
|
|||
return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
|
||||
MGMT_STATUS_INVALID_PARAMS);
|
||||
|
||||
if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
|
||||
return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
|
||||
MGMT_STATUS_INVALID_PARAMS);
|
||||
|
||||
flags = __le32_to_cpu(cp->flags);
|
||||
timeout = __le16_to_cpu(cp->timeout);
|
||||
duration = __le16_to_cpu(cp->duration);
|
||||
|
|
|
|||
Loading…
Reference in New Issue