Commit 59437cbb authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz
Browse files

Bluetooth: hci_core: Fix not checking skb length on hci_scodata_packet 



This fixes not checking if skb really contains an SCO header otherwise
the code may attempt to access some uninitilized/invalid memory past the
valid skb->data.

Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
parent 3fe288a8

net/bluetooth/hci_core.c

+9 −4
Original line number Diff line number Diff line
@@ -3814,17 +3814,21 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb) 
/* SCO data packet */

static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)

{

	struct hci_sco_hdr *hdr = (void *) skb->data;

	struct hci_sco_hdr *hdr;

	struct hci_conn *conn;

	__u16 handle, flags;



	skb_pull(skb, HCI_SCO_HDR_SIZE);

	hdr = skb_pull_data(skb, sizeof(*hdr));

	if (!hdr) {

		bt_dev_err(hdev, "SCO packet too small");

		goto drop;

	}



	handle = __le16_to_cpu(hdr->handle);

	flags  = hci_flags(handle);

	handle = hci_handle(handle);



	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,

	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,

		   handle, flags);



	hdev->stat.sco_rx++;
@@ -3843,6 +3847,7 @@ static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb) 
				       handle);

	}



drop:

	kfree_skb(skb);

}