Bluetooth: Check minimum length of SMP packets

When SMP packets are received, make sure they contain at least 1 byte header for the opcode. If not, drop the packet and disconnect the link. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
author: Marcel Holtmann <marcel@holtmann.org> 2013-10-03 04:23:08 -0400
committer: Johan Hedberg <johan.hedberg@intel.com> 2013-10-03 06:06:41 -0400
commit: 92381f5cd72b3fb415efe2406ad9fa462a223151 (patch)
tree: 9ff3ad9e3d7b2d746baab526e02385a031a7caf8 /net
parent: b99707d7ee887f9df8b3f7cf75e1e9dbf3206df3 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6e0494971db1..884b2081a262 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -848,8 +848,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
 {
        struct hci_conn *hcon = conn->hcon;
-        __u8 code = skb->data[0];
+        __u8 code, reason;
-        __u8 reason;
        int err = 0;
        if (hcon->type != LE_LINK) {
@@ -857,12 +856,18 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
                return -ENOTSUPP;
        }
+        if (skb->len < 1) {
+                kfree_skb(skb);
+                return -EILSEQ;
+        }
        if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
                err = -ENOTSUPP;
                reason = SMP_PAIRING_NOTSUPP;
                goto done;
        }
+        code = skb->data[0];
        skb_pull(skb, sizeof(code));
        /*
author	Marcel Holtmann <marcel@holtmann.org>	2013-10-03 04:23:08 -0400
committer	Johan Hedberg <johan.hedberg@intel.com>	2013-10-03 06:06:41 -0400
commit	92381f5cd72b3fb415efe2406ad9fa462a223151 (patch)
tree	9ff3ad9e3d7b2d746baab526e02385a031a7caf8 /net
parent	b99707d7ee887f9df8b3f7cf75e1e9dbf3206df3 (diff)