diff options
author | Johan Hedberg <johan.hedberg@intel.com> | 2012-03-26 07:21:42 -0400 |
---|---|---|
committer | Gustavo Padovan <gustavo@padovan.org> | 2012-03-28 11:02:40 -0400 |
commit | 6c0c331e4c8ff6c0f7fa6cc5fd08d853d6c579c4 (patch) | |
tree | 819f4bb17b492dae2d9e7929dfd8cb31f072073d | |
parent | 84d9d0716b2d5f4a27de4801bd2dbf7aff5e1c38 (diff) |
Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
-rw-r--r-- | include/net/bluetooth/hci_core.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 220d8e0a75fb..6822d2595aff 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h | |||
@@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type) | |||
909 | { | 909 | { |
910 | size_t parsed = 0; | 910 | size_t parsed = 0; |
911 | 911 | ||
912 | if (data_len < 2) | ||
913 | return false; | ||
914 | |||
912 | while (parsed < data_len - 1) { | 915 | while (parsed < data_len - 1) { |
913 | u8 field_len = data[0]; | 916 | u8 field_len = data[0]; |
914 | 917 | ||