diff options
| author | Johan Hedberg <johan.hedberg@intel.com> | 2013-05-28 06:46:30 -0400 |
|---|---|---|
| committer | John W. Linville <linville@tuxdriver.com> | 2013-06-12 10:20:54 -0400 |
| commit | cb3b3152b2f5939d67005cff841a1ca748b19888 (patch) | |
| tree | ae3d09c16bea2dc26496a1155cc08104321d46ae /net | |
| parent | 22f2efed35e02a7c0b1ec73cfe790b1e3d207f4b (diff) | |
Bluetooth: Fix missing length checks for L2CAP signalling PDUs
There has been code in place to check that the L2CAP length header
matches the amount of data received, but many PDU handlers have not been
checking that the data received actually matches that expected by the
specific PDU. This patch adds passing the length header to the specific
handler functions and ensures that those functions fail cleanly in the
case of an incorrect amount of data.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bluetooth/l2cap_core.c | 70 |
1 files changed, 52 insertions, 18 deletions
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a76d1ac0321b..24bee07ee4ce 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c | |||
| @@ -3677,10 +3677,14 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) | |||
| 3677 | } | 3677 | } |
| 3678 | 3678 | ||
| 3679 | static inline int l2cap_command_rej(struct l2cap_conn *conn, | 3679 | static inline int l2cap_command_rej(struct l2cap_conn *conn, |
| 3680 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3680 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 3681 | u8 *data) | ||
| 3681 | { | 3682 | { |
| 3682 | struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; | 3683 | struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data; |
| 3683 | 3684 | ||
| 3685 | if (cmd_len < sizeof(*rej)) | ||
| 3686 | return -EPROTO; | ||
| 3687 | |||
| 3684 | if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) | 3688 | if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD) |
| 3685 | return 0; | 3689 | return 0; |
| 3686 | 3690 | ||
| @@ -3829,11 +3833,14 @@ sendresp: | |||
| 3829 | } | 3833 | } |
| 3830 | 3834 | ||
| 3831 | static int l2cap_connect_req(struct l2cap_conn *conn, | 3835 | static int l2cap_connect_req(struct l2cap_conn *conn, |
| 3832 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3836 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data) |
| 3833 | { | 3837 | { |
| 3834 | struct hci_dev *hdev = conn->hcon->hdev; | 3838 | struct hci_dev *hdev = conn->hcon->hdev; |
| 3835 | struct hci_conn *hcon = conn->hcon; | 3839 | struct hci_conn *hcon = conn->hcon; |
| 3836 | 3840 | ||
| 3841 | if (cmd_len < sizeof(struct l2cap_conn_req)) | ||
| 3842 | return -EPROTO; | ||
| 3843 | |||
| 3837 | hci_dev_lock(hdev); | 3844 | hci_dev_lock(hdev); |
| 3838 | if (test_bit(HCI_MGMT, &hdev->dev_flags) && | 3845 | if (test_bit(HCI_MGMT, &hdev->dev_flags) && |
| 3839 | !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) | 3846 | !test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags)) |
| @@ -3847,7 +3854,8 @@ static int l2cap_connect_req(struct l2cap_conn *conn, | |||
| 3847 | } | 3854 | } |
| 3848 | 3855 | ||
| 3849 | static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | 3856 | static int l2cap_connect_create_rsp(struct l2cap_conn *conn, |
| 3850 | struct l2cap_cmd_hdr *cmd, u8 *data) | 3857 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 3858 | u8 *data) | ||
| 3851 | { | 3859 | { |
| 3852 | struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; | 3860 | struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data; |
| 3853 | u16 scid, dcid, result, status; | 3861 | u16 scid, dcid, result, status; |
| @@ -3855,6 +3863,9 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, | |||
| 3855 | u8 req[128]; | 3863 | u8 req[128]; |
| 3856 | int err; | 3864 | int err; |
| 3857 | 3865 | ||
| 3866 | if (cmd_len < sizeof(*rsp)) | ||
| 3867 | return -EPROTO; | ||
| 3868 | |||
| 3858 | scid = __le16_to_cpu(rsp->scid); | 3869 | scid = __le16_to_cpu(rsp->scid); |
| 3859 | dcid = __le16_to_cpu(rsp->dcid); | 3870 | dcid = __le16_to_cpu(rsp->dcid); |
| 3860 | result = __le16_to_cpu(rsp->result); | 3871 | result = __le16_to_cpu(rsp->result); |
| @@ -3952,6 +3963,9 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | |||
| 3952 | struct l2cap_chan *chan; | 3963 | struct l2cap_chan *chan; |
| 3953 | int len, err = 0; | 3964 | int len, err = 0; |
| 3954 | 3965 | ||
| 3966 | if (cmd_len < sizeof(*req)) | ||
| 3967 | return -EPROTO; | ||
| 3968 | |||
| 3955 | dcid = __le16_to_cpu(req->dcid); | 3969 | dcid = __le16_to_cpu(req->dcid); |
| 3956 | flags = __le16_to_cpu(req->flags); | 3970 | flags = __le16_to_cpu(req->flags); |
| 3957 | 3971 | ||
| @@ -3975,7 +3989,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, | |||
| 3975 | 3989 | ||
| 3976 | /* Reject if config buffer is too small. */ | 3990 | /* Reject if config buffer is too small. */ |
| 3977 | len = cmd_len - sizeof(*req); | 3991 | len = cmd_len - sizeof(*req); |
| 3978 | if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) { | 3992 | if (chan->conf_len + len > sizeof(chan->conf_req)) { |
| 3979 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, | 3993 | l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
| 3980 | l2cap_build_conf_rsp(chan, rsp, | 3994 | l2cap_build_conf_rsp(chan, rsp, |
| 3981 | L2CAP_CONF_REJECT, flags), rsp); | 3995 | L2CAP_CONF_REJECT, flags), rsp); |
| @@ -4053,14 +4067,18 @@ unlock: | |||
| 4053 | } | 4067 | } |
| 4054 | 4068 | ||
| 4055 | static inline int l2cap_config_rsp(struct l2cap_conn *conn, | 4069 | static inline int l2cap_config_rsp(struct l2cap_conn *conn, |
| 4056 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4070 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4071 | u8 *data) | ||
| 4057 | { | 4072 | { |
| 4058 | struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; | 4073 | struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data; |
| 4059 | u16 scid, flags, result; | 4074 | u16 scid, flags, result; |
| 4060 | struct l2cap_chan *chan; | 4075 | struct l2cap_chan *chan; |
| 4061 | int len = le16_to_cpu(cmd->len) - sizeof(*rsp); | 4076 | int len = cmd_len - sizeof(*rsp); |
| 4062 | int err = 0; | 4077 | int err = 0; |
| 4063 | 4078 | ||
| 4079 | if (cmd_len < sizeof(*rsp)) | ||
| 4080 | return -EPROTO; | ||
| 4081 | |||
| 4064 | scid = __le16_to_cpu(rsp->scid); | 4082 | scid = __le16_to_cpu(rsp->scid); |
| 4065 | flags = __le16_to_cpu(rsp->flags); | 4083 | flags = __le16_to_cpu(rsp->flags); |
| 4066 | result = __le16_to_cpu(rsp->result); | 4084 | result = __le16_to_cpu(rsp->result); |
| @@ -4161,7 +4179,8 @@ done: | |||
| 4161 | } | 4179 | } |
| 4162 | 4180 | ||
| 4163 | static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | 4181 | static inline int l2cap_disconnect_req(struct l2cap_conn *conn, |
| 4164 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4182 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4183 | u8 *data) | ||
| 4165 | { | 4184 | { |
| 4166 | struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; | 4185 | struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data; |
| 4167 | struct l2cap_disconn_rsp rsp; | 4186 | struct l2cap_disconn_rsp rsp; |
| @@ -4169,6 +4188,9 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | |||
| 4169 | struct l2cap_chan *chan; | 4188 | struct l2cap_chan *chan; |
| 4170 | struct sock *sk; | 4189 | struct sock *sk; |
| 4171 | 4190 | ||
| 4191 | if (cmd_len != sizeof(*req)) | ||
| 4192 | return -EPROTO; | ||
| 4193 | |||
| 4172 | scid = __le16_to_cpu(req->scid); | 4194 | scid = __le16_to_cpu(req->scid); |
| 4173 | dcid = __le16_to_cpu(req->dcid); | 4195 | dcid = __le16_to_cpu(req->dcid); |
| 4174 | 4196 | ||
| @@ -4208,12 +4230,16 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn, | |||
| 4208 | } | 4230 | } |
| 4209 | 4231 | ||
| 4210 | static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | 4232 | static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, |
| 4211 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4233 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4234 | u8 *data) | ||
| 4212 | { | 4235 | { |
| 4213 | struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; | 4236 | struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data; |
| 4214 | u16 dcid, scid; | 4237 | u16 dcid, scid; |
| 4215 | struct l2cap_chan *chan; | 4238 | struct l2cap_chan *chan; |
| 4216 | 4239 | ||
| 4240 | if (cmd_len != sizeof(*rsp)) | ||
| 4241 | return -EPROTO; | ||
| 4242 | |||
| 4217 | scid = __le16_to_cpu(rsp->scid); | 4243 | scid = __le16_to_cpu(rsp->scid); |
| 4218 | dcid = __le16_to_cpu(rsp->dcid); | 4244 | dcid = __le16_to_cpu(rsp->dcid); |
| 4219 | 4245 | ||
| @@ -4243,11 +4269,15 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn, | |||
| 4243 | } | 4269 | } |
| 4244 | 4270 | ||
| 4245 | static inline int l2cap_information_req(struct l2cap_conn *conn, | 4271 | static inline int l2cap_information_req(struct l2cap_conn *conn, |
| 4246 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4272 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4273 | u8 *data) | ||
| 4247 | { | 4274 | { |
| 4248 | struct l2cap_info_req *req = (struct l2cap_info_req *) data; | 4275 | struct l2cap_info_req *req = (struct l2cap_info_req *) data; |
| 4249 | u16 type; | 4276 | u16 type; |
| 4250 | 4277 | ||
| 4278 | if (cmd_len != sizeof(*req)) | ||
| 4279 | return -EPROTO; | ||
| 4280 | |||
| 4251 | type = __le16_to_cpu(req->type); | 4281 | type = __le16_to_cpu(req->type); |
| 4252 | 4282 | ||
| 4253 | BT_DBG("type 0x%4.4x", type); | 4283 | BT_DBG("type 0x%4.4x", type); |
| @@ -4294,11 +4324,15 @@ static inline int l2cap_information_req(struct l2cap_conn *conn, | |||
| 4294 | } | 4324 | } |
| 4295 | 4325 | ||
| 4296 | static inline int l2cap_information_rsp(struct l2cap_conn *conn, | 4326 | static inline int l2cap_information_rsp(struct l2cap_conn *conn, |
| 4297 | struct l2cap_cmd_hdr *cmd, u8 *data) | 4327 | struct l2cap_cmd_hdr *cmd, u16 cmd_len, |
| 4328 | u8 *data) | ||
| 4298 | { | 4329 | { |
| 4299 | struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; | 4330 | struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data; |
| 4300 | u16 type, result; | 4331 | u16 type, result; |
| 4301 | 4332 | ||
| 4333 | if (cmd_len != sizeof(*rsp)) | ||
| 4334 | return -EPROTO; | ||
| 4335 | |||
| 4302 | type = __le16_to_cpu(rsp->type); | 4336 | type = __le16_to_cpu(rsp->type); |
| 4303 | result = __le16_to_cpu(rsp->result); | 4337 | result = __le16_to_cpu(rsp->result); |
| 4304 | 4338 | ||
| @@ -5164,16 +5198,16 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5164 | 5198 | ||
| 5165 | switch (cmd->code) { | 5199 | switch (cmd->code) { |
| 5166 | case L2CAP_COMMAND_REJ: | 5200 | case L2CAP_COMMAND_REJ: |
| 5167 | l2cap_command_rej(conn, cmd, data); | 5201 | l2cap_command_rej(conn, cmd, cmd_len, data); |
| 5168 | break; | 5202 | break; |
| 5169 | 5203 | ||
| 5170 | case L2CAP_CONN_REQ: | 5204 | case L2CAP_CONN_REQ: |
| 5171 | err = l2cap_connect_req(conn, cmd, data); | 5205 | err = l2cap_connect_req(conn, cmd, cmd_len, data); |
| 5172 | break; | 5206 | break; |
| 5173 | 5207 | ||
| 5174 | case L2CAP_CONN_RSP: | 5208 | case L2CAP_CONN_RSP: |
| 5175 | case L2CAP_CREATE_CHAN_RSP: | 5209 | case L2CAP_CREATE_CHAN_RSP: |
| 5176 | err = l2cap_connect_create_rsp(conn, cmd, data); | 5210 | err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data); |
| 5177 | break; | 5211 | break; |
| 5178 | 5212 | ||
| 5179 | case L2CAP_CONF_REQ: | 5213 | case L2CAP_CONF_REQ: |
| @@ -5181,15 +5215,15 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5181 | break; | 5215 | break; |
| 5182 | 5216 | ||
| 5183 | case L2CAP_CONF_RSP: | 5217 | case L2CAP_CONF_RSP: |
| 5184 | err = l2cap_config_rsp(conn, cmd, data); | 5218 | err = l2cap_config_rsp(conn, cmd, cmd_len, data); |
| 5185 | break; | 5219 | break; |
| 5186 | 5220 | ||
| 5187 | case L2CAP_DISCONN_REQ: | 5221 | case L2CAP_DISCONN_REQ: |
| 5188 | err = l2cap_disconnect_req(conn, cmd, data); | 5222 | err = l2cap_disconnect_req(conn, cmd, cmd_len, data); |
| 5189 | break; | 5223 | break; |
| 5190 | 5224 | ||
| 5191 | case L2CAP_DISCONN_RSP: | 5225 | case L2CAP_DISCONN_RSP: |
| 5192 | err = l2cap_disconnect_rsp(conn, cmd, data); | 5226 | err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data); |
| 5193 | break; | 5227 | break; |
| 5194 | 5228 | ||
| 5195 | case L2CAP_ECHO_REQ: | 5229 | case L2CAP_ECHO_REQ: |
| @@ -5200,11 +5234,11 @@ static inline int l2cap_bredr_sig_cmd(struct l2cap_conn *conn, | |||
| 5200 | break; | 5234 | break; |
| 5201 | 5235 | ||
| 5202 | case L2CAP_INFO_REQ: | 5236 | case L2CAP_INFO_REQ: |
| 5203 | err = l2cap_information_req(conn, cmd, data); | 5237 | err = l2cap_information_req(conn, cmd, cmd_len, data); |
| 5204 | break; | 5238 | break; |
| 5205 | 5239 | ||
| 5206 | case L2CAP_INFO_RSP: | 5240 | case L2CAP_INFO_RSP: |
| 5207 | err = l2cap_information_rsp(conn, cmd, data); | 5241 | err = l2cap_information_rsp(conn, cmd, cmd_len, data); |
| 5208 | break; | 5242 | break; |
| 5209 | 5243 | ||
| 5210 | case L2CAP_CREATE_CHAN_REQ: | 5244 | case L2CAP_CREATE_CHAN_REQ: |