Bluetooth: Check for minimum data length in eir_has_data_type()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo@padovan.org>

authored by

Johan Hedberg and committed by

Gustavo Padovan 14 years ago 6c0c331e 84d9d071

1 changed file

expand all

include

net

bluetooth

hci_core.h

include/net/bluetooth/hci_core.h

··· 909 909 { 910 910 size_t parsed = 0; 911 911 912 + if (data_len < 2) 913 + return false; 914 + 912 915 while (parsed < data_len - 1) { 913 916 u8 field_len = data[0]; 914 917