Bluetooth: Correct packet len calculation

Remove unneeded skb_pull and correct packet length calculation
removing magic number. Move BT_DBG after len check otherwise
it could possibly access wrong memory.

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

1 files changed, 4 insertions, 5 deletions

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 08c0b4295ecc..d37f5b2a3e3c 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -2271,20 +2271,19 @@ static inline void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *s
         struct hci_ev_num_comp_pkts *ev = (void *) skb->data;
         int i;
 
-        skb_pull(skb, sizeof(*ev));
-
-        BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
-
         if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) {
                 BT_ERR("Wrong event for mode %d", hdev->flow_ctl_mode);
                 return;
         }
 
-        if (skb->len < ev->num_hndl * 4) {
+        if (skb->len < sizeof(*ev) || skb->len < sizeof(*ev) +
+                        ev->num_hndl * sizeof(struct hci_comp_pkts_info)) {
                 BT_DBG("%s bad parameters", hdev->name);
                 return;
         }
 
+        BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl);
+
         for (i = 0; i < ev->num_hndl; i++) {
                 struct hci_comp_pkts_info *info = &ev->handles[i];
                 struct hci_conn *conn;