Bluetooth: Check for minimum data length in eir_has_data_type()

If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: N Johan Hedberg <johan.hedberg@intel.com> Acked-by: N Marcel Holtmann <marcel@holtmann.org> Signed-off-by: N Gustavo Padovan <gustavo@padovan.org>

Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: N Johan Hedberg <johan.hedberg@intel.com> Acked-by: N Marcel Holtmann <marcel@holtmann.org> Signed-off-by: N Gustavo Padovan <gustavo@padovan.org>
6c0c331e · Johan Hedberg · Gustavo Padovan · 84d9d071 · 6c0c331e
显示空白变更内容
内联并排

Showing with 3 addition and 0 deletion

include/net/bluetooth/hci_core.h include/net/bluetooth/hci_core.h +3 -0

未找到文件。
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
 {
 	size_t parsed = 0;

+	if (data_len < 2)
+		return false;
+
 	while (parsed < data_len - 1) {
 		u8 field_len = data[0];