Commit b48b833f authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Marcel Holtmann
Browse files

Bluetooth: HCI: Use skb_pull_data to parse LE Ext Advertising Report event 



This uses skb_pull_data to check the LE Extended Advertising Report
events received have the minimum required length.

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 47afe93c

include/net/bluetooth/hci.h

+11 −6
Original line number Diff line number Diff line
@@ -2517,8 +2517,8 @@ struct hci_ev_le_phy_update_complete { 
} __packed;



#define HCI_EV_LE_EXT_ADV_REPORT    0x0d

struct hci_ev_le_ext_adv_report {

	__le16 	 evt_type;

struct hci_ev_le_ext_adv_info {

	__le16   type;

	__u8	 bdaddr_type;

	bdaddr_t bdaddr;

	__u8	 primary_phy;
@@ -2533,6 +2533,11 @@ struct hci_ev_le_ext_adv_report { 
	__u8     data[];

} __packed;



struct hci_ev_le_ext_adv_report {

	__u8     num;

	struct hci_ev_le_ext_adv_info info[];

} __packed;



#define HCI_EV_LE_ENHANCED_CONN_COMPLETE    0x0a

struct hci_ev_le_enh_conn_complete {

	__u8      status;

net/bluetooth/hci_event.c

+25 −11
Original line number Diff line number Diff line
@@ -6649,26 +6649,40 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) 


static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)

{

	u8 num_reports = skb->data[0];

	void *ptr = &skb->data[1];

	struct hci_ev_le_ext_adv_report *ev;



	ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,

				sizeof(*ev));

	if (!ev)

		return;



	if (!ev->num)

		return;



	hci_dev_lock(hdev);



	while (num_reports--) {

		struct hci_ev_le_ext_adv_report *ev = ptr;

	while (ev->num--) {

		struct hci_ev_le_ext_adv_info *info;

		u8 legacy_evt_type;

		u16 evt_type;



		evt_type = __le16_to_cpu(ev->evt_type);

		info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,

					  sizeof(*info));

		if (!info)

			break;



		if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,

					info->length))

			break;



		evt_type = __le16_to_cpu(info->type);

		legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);

		if (legacy_evt_type != LE_ADV_INVALID) {

			process_adv_report(hdev, legacy_evt_type, &ev->bdaddr,

					   ev->bdaddr_type, NULL, 0, ev->rssi,

					   ev->data, ev->length,

			process_adv_report(hdev, legacy_evt_type, &info->bdaddr,

					   info->bdaddr_type, NULL, 0,

					   info->rssi, info->data, info->length,

					   !(evt_type & LE_EXT_ADV_LEGACY_PDU));

		}



		ptr += sizeof(*ev) + ev->length;

	}



	hci_dev_unlock(hdev);
@@ -7019,7 +7033,7 @@ static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, 
{

	struct hci_ev_le_advertising_info *adv;

	struct hci_ev_le_direct_adv_info *direct_adv;

	struct hci_ev_le_ext_adv_report *ext_adv;

	struct hci_ev_le_ext_adv_info *ext_adv;

	const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;

	const struct hci_ev_conn_request *conn_request = (void *)skb->data;