| From 6a0e78072c2ae7b20b14e0249d8108441ea928d2 Mon Sep 17 00:00:00 2001 |
| From: Johan Hedberg <johan.hedberg@intel.com> |
| Date: Fri, 11 Mar 2016 09:56:33 +0200 |
| Subject: Bluetooth: Fix potential buffer overflow with Add Advertising |
| |
| From: Johan Hedberg <johan.hedberg@intel.com> |
| |
| commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2 upstream. |
| |
| The Add Advertising command handler does the appropriate checks for |
| the AD and Scan Response data, however fails to take into account the |
| general length of the mgmt command itself, which could lead to |
| potential buffer overflows. This patch adds the necessary check that |
| the mgmt command length is consistent with the given ad and scan_rsp |
| lengths. |
| |
| Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> |
| Signed-off-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/bluetooth/mgmt.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/net/bluetooth/mgmt.c |
| +++ b/net/bluetooth/mgmt.c |
| @@ -7155,6 +7155,10 @@ static int add_advertising(struct sock * |
| return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING, |
| status); |
| |
| + if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len) |
| + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING, |
| + MGMT_STATUS_INVALID_PARAMS); |
| + |
| flags = __le32_to_cpu(cp->flags); |
| timeout = __le16_to_cpu(cp->timeout); |
| duration = __le16_to_cpu(cp->duration); |
