Commit 899663be authored by Brian Gix's avatar Brian Gix Committed by Marcel Holtmann
Browse files

Bluetooth: refactor malicious adv data check 



Check for out-of-bound read was being performed at the end of while
num_reports loop, and would fill journal with false positives. Added
check to beginning of loop processing so that it doesn't get checked
after ptr has been advanced.

Signed-off-by: default avatarBrian Gix <brian.gix@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 21a241b3

net/bluetooth/hci_event.c

+5 −5
Original line number Diff line number Diff line
@@ -5920,6 +5920,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 
		struct hci_ev_le_advertising_info *ev = ptr;

		s8 rssi;



		if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {

			bt_dev_err(hdev, "Malicious advertising data.");

			break;

		}



		if (ev->length <= HCI_MAX_AD_LENGTH &&

		    ev->data + ev->length <= skb_tail_pointer(skb)) {

			rssi = ev->data[ev->length];
@@ -5931,11 +5936,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 
		}



		ptr += sizeof(*ev) + ev->length + 1;



		if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {

			bt_dev_err(hdev, "Malicious advertising data. Stopping processing");

			break;

		}

	}



	hci_dev_unlock(hdev);