Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6c0c331e authored by Johan Hedberg's avatar Johan Hedberg Committed by Gustavo Padovan
Browse files

Bluetooth: Check for minimum data length in eir_has_data_type() 



If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.

Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarGustavo Padovan <gustavo@padovan.org>
parent 84d9d071

include/net/bluetooth/hci_core.h

+3 −0
Original line number Diff line number Diff line
@@ -909,6 +909,9 @@ static inline bool eir_has_data_type(u8 *data, size_t data_len, u8 type) 
{

	size_t parsed = 0;



	if (data_len < 2)

		return false;



	while (parsed < data_len - 1) {

		u8 field_len = data[0];