Unverified Commit 5036b0d0 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!14886 Bluetooth: hci_core: Fix not checking skb length on hci_acldata_packet 

Merge Pull Request from: @ci-robot 
 
PR sync from: Tirui Yin <yintirui@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/3YLWV5YK5ZKH5NYZWZZT2WRW4CFER5UN/ 
 
https://gitee.com/src-openeuler/kernel/issues/IBEANH 
 
Link:https://gitee.com/openeuler/kernel/pulls/14886

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents 78c89aa3 3e68a689

net/bluetooth/hci_core.c

+9 −4
Original line number Original line Diff line number Diff line
@@ -3735,17 +3735,21 @@ static void hci_tx_work(struct work_struct *work) 
/* ACL data packet */

/* ACL data packet */

static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)

static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)

{

{

	struct hci_acl_hdr *hdr = (void *) skb->data;

	struct hci_acl_hdr *hdr;

	struct hci_conn *conn;

	struct hci_conn *conn;

	__u16 handle, flags;

	__u16 handle, flags;





	skb_pull(skb, HCI_ACL_HDR_SIZE);

	hdr = skb_pull_data(skb, sizeof(*hdr));

	if (!hdr) {

		bt_dev_err(hdev, "ACL packet too small");

		goto drop;

	}





	handle = __le16_to_cpu(hdr->handle);

	handle = __le16_to_cpu(hdr->handle);

	flags  = hci_flags(handle);

	flags  = hci_flags(handle);

	handle = hci_handle(handle);

	handle = hci_handle(handle);





	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,

	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,

		   handle, flags);

		   handle, flags);





	hdev->stat.acl_rx++;

	hdev->stat.acl_rx++;
@@ -3765,6 +3769,7 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 
			   handle);

			   handle);

	}

	}





drop:

	kfree_skb(skb);

	kfree_skb(skb);

}

}