From: Johan Hedberg Date: Mon, 26 Mar 2012 11:21:42 +0000 (+0300) Subject: Bluetooth: Check for minimum data length in eir_has_data_type() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=6c0c331e4c8ff6c0f7fa6cc5fd08d853d6c579c4;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git Bluetooth: Check for minimum data length in eir_has_data_type() If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: Johan Hedberg Acked-by: Marcel Holtmann Signed-off-by: Gustavo Padovan --- diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h index 220d8e0a75fb..6822d2595aff 100644 --- a/include/net/bluetooth/hci_core.h +++ b/include/net/bluetooth/hci_core.h @@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type) { size_t parsed = 0; + if (data_len < 2) + return false; + while (parsed < data_len - 1) { u8 field_len = data[0];