Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 92381f5c authored by Marcel Holtmann's avatar Marcel Holtmann Committed by Johan Hedberg
Browse files

Bluetooth: Check minimum length of SMP packets 



When SMP packets are received, make sure they contain at least 1 byte
header for the opcode. If not, drop the packet and disconnect the link.

Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
parent b99707d7

net/bluetooth/smp.c

+7 −2
Original line number Diff line number Diff line
@@ -848,8 +848,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 
int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)

{

	struct hci_conn *hcon = conn->hcon;

	__u8 code = skb->data[0];

	__u8 reason;

	__u8 code, reason;

	int err = 0;



	if (hcon->type != LE_LINK) {
@@ -857,12 +856,18 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) 
		return -ENOTSUPP;

	}



	if (skb->len < 1) {

		kfree_skb(skb);

		return -EILSEQ;

	}



	if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {

		err = -ENOTSUPP;

		reason = SMP_PAIRING_NOTSUPP;

		goto done;

	}



	code = skb->data[0];

	skb_pull(skb, sizeof(code));



	/*