• J
    Bluetooth: Fix buffer overflow with variable length commands · ba1d6936
    Johan Hedberg 提交于
    The handler for variable length commands were trying to calculate the
    expected length of the command based on the given parameter count, and
    then comparing that with the received data. However, the expected count
    was stored in a u16 which can easily overflow. With a carefully crafted
    command this can then be made to match the given data even though the
    parameter count is actually way too big, resulting in a buffer overflow
    when parsing the parameters.
    
    This patch fixes the issue by calculating a per-command maximum
    parameter count and returns INVALID_PARAMS if it is exceeded.
    Signed-off-by: NJohan Hedberg <johan.hedberg@intel.com>
    Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
    ba1d6936
mgmt.c 158.1 KB