Bluetooth: stop proccessing malicious adv data (3a56ef71) · Commits · EulixOS / Software / Kernel

net/bluetooth/hci_event.c

+7 −1

Original line number	Diff line number	Diff line
		@@ -5906,7 +5906,8 @@ static void hci_le_adv_report_evt(struct hci_dev hdev, struct sk_buff skb)
		struct hci_ev_le_advertising_info *ev = ptr;
		s8 rssi;

		if (ev->length <= HCI_MAX_AD_LENGTH) {
		if (ev->length <= HCI_MAX_AD_LENGTH &&
		ev->data + ev->length <= skb_tail_pointer(skb)) {
		rssi = ev->data[ev->length];
		process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
		ev->bdaddr_type, NULL, 0, rssi,
		@@ -5916,6 +5917,11 @@ static void hci_le_adv_report_evt(struct hci_dev hdev, struct sk_buff skb)
		}

		ptr += sizeof(*ev) + ev->length + 1;

		if (ptr > (void ) skb_tail_pointer(skb) - sizeof(ev)) {
		bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
		break;
		}
		}

		hci_dev_unlock(hdev);