Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ee649346 authored by Chriz Chow's avatar Chriz Chow Committed by Marcel Holtmann
Browse files

Bluetooth: Prevent buffer overflow for large advertisement data 



There are some controllers sending out advertising data with illegal
length value which is longer than HCI_MAX_AD_LENGTH, causing the
buffer last_adv_data overflows. To avoid these controllers from
overflowing the buffer, we do not process the advertisement data
if its length is incorrect.

Signed-off-by: default avatarChriz Chow <chriz.chow@aminocom.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 2cc6d079

net/bluetooth/hci_event.c

+8 −4
Original line number Original line Diff line number Diff line
@@ -4942,10 +4942,14 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) 
		struct hci_ev_le_advertising_info *ev = ptr;

		struct hci_ev_le_advertising_info *ev = ptr;

		s8 rssi;

		s8 rssi;





		if (ev->length <= HCI_MAX_AD_LENGTH) {

			rssi = ev->data[ev->length];

			rssi = ev->data[ev->length];

			process_adv_report(hdev, ev->evt_type, &ev->bdaddr,

			process_adv_report(hdev, ev->evt_type, &ev->bdaddr,

					   ev->bdaddr_type, NULL, 0, rssi,

					   ev->bdaddr_type, NULL, 0, rssi,

					   ev->data, ev->length);

					   ev->data, ev->length);

		} else {

			bt_dev_err(hdev, "Dropping invalid advertising data");

		}





		ptr += sizeof(*ev) + ev->length + 1;

		ptr += sizeof(*ev) + ev->length + 1;

	}

	}