summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohan Hedberg <johan.hedberg@intel.com>2012-03-26 13:21:42 +0200
committerGustavo Padovan <gustavo@padovan.org>2012-03-28 17:02:40 +0200
commit6c0c331e4c8ff6c0f7fa6cc5fd08d853d6c579c4 (patch)
tree819f4bb17b492dae2d9e7929dfd8cb31f072073d
parentBluetooth: Don't increment twice in eir_has_data_type() (diff)
downloadlinux-6c0c331e4c8ff6c0f7fa6cc5fd08d853d6c579c4.tar.xz
linux-6c0c331e4c8ff6c0f7fa6cc5fd08d853d6c579c4.zip
Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
-rw-r--r--include/net/bluetooth/hci_core.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 220d8e0a75fb..6822d2595aff 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
{
size_t parsed = 0;
+ if (data_len < 2)
+ return false;
+
while (parsed < data_len - 1) {
u8 field_len = data[0];