Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ec86d4c authored by Johan Hedberg's avatar Johan Hedberg Committed by Marcel Holtmann
Browse files

Bluetooth: Fix validating IO capability values in mgmt commands 



The valid range of IO capabilities for the Set IO Capability and Pair
Device mgmt commands is 0-4 (4 being the KeyboarDisplay capability for
SMP). We should return an invalid parameters error if user space gives
us a value outside of this range.

Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 8ba8b4c0

net/bluetooth/mgmt.c

+9 −0
Original line number Diff line number Diff line
@@ -2766,6 +2766,10 @@ static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data, 


	BT_DBG("");



	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)

		return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,

				    MGMT_STATUS_INVALID_PARAMS, NULL, 0);



	hci_dev_lock(hdev);



	hdev->io_capability = cp->io_capability;
@@ -2878,6 +2882,11 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data, 
				    MGMT_STATUS_INVALID_PARAMS,

				    &rp, sizeof(rp));



	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)

		return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,

				    MGMT_STATUS_INVALID_PARAMS,

				    &rp, sizeof(rp));



	hci_dev_lock(hdev);



	if (!hdev_is_powered(hdev)) {