Commit 20a2aa01 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz
Browse files

Bluetooth: Fix NULL pointer deference on eir_get_service_data 



The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.

Fixes: 8f9ae5b3 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 260388f7

net/bluetooth/eir.c

+6 −4
Original line number Diff line number Diff line
@@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr) 


void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)

{

	while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) {

	size_t dlen;



	while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {

		u16 value = get_unaligned_le16(eir);



		if (uuid == value) {

			if (len)

				*len -= 2;

				*len = dlen - 2;

			return &eir[2];

		}



		eir += *len;

		eir_len -= *len;

		eir += dlen;

		eir_len -= dlen;

	}



	return NULL;