Home Verkennen Help
Inloggen
GfA
/
linux_kernel
5
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

Bluetooth: Prevent buffer overflow for large advertisement data

There are some controllers sending out advertising data with illegal
length value which is longer than HCI_MAX_AD_LENGTH, causing the
buffer last_adv_data overflows. To avoid these controllers from
overflowing the buffer, we do not process the advertisement data
if its length is incorrect.

Signed-off-by: Chriz Chow <chriz.chow@aminocom.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Chriz Chow 7 jaren geleden
bovenliggende
2cc6d0794c
commit
ee6493462f
1 gewijzigde bestanden met toevoegingen van 8 en 4 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 8 4
      net/bluetooth/hci_event.c

+ 8 - 4
net/bluetooth/hci_event.c
Bestand weergeven 

@@ -4942,10 +4942,14 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
 		struct hci_ev_le_advertising_info *ev = ptr;
 
 		s8 rssi;
 
 
-		rssi = ev->data[ev->length];
 
-		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
 
-				   ev->bdaddr_type, NULL, 0, rssi,
 
-				   ev->data, ev->length);
 
+		if (ev->length <= HCI_MAX_AD_LENGTH) {
 
+			rssi = ev->data[ev->length];
 
+			process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
 
+					   ev->bdaddr_type, NULL, 0, rssi,
 
+					   ev->data, ev->length);
 
+		} else {
 
+			bt_dev_err(hdev, "Dropping invalid advertising data");
 
+		}
 
 
 		ptr += sizeof(*ev) + ev->length + 1;
 
 	}