Bluetooth: Check for minimum data length in eir_has_data_type()

If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 220d8e0a75fb3e69ccd3b06b88374939c517fd9c..6822d2595aff983451b5c01b6286162635f25d9b 100644 (file)
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type)
 {
        size_t parsed = 0;
 
+       if (data_len < 2)
+               return false;
+
        while (parsed < data_len - 1) {
                u8 field_len = data[0];