[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20220201180822.228840433@linuxfoundation.org>
Date: Tue, 1 Feb 2022 19:16:26 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-kernel@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
stable@...r.kernel.org, Brian Gix <brian.gix@...el.com>,
Marcel Holtmann <marcel@...tmann.org>,
syphyr <syphyr@...il.com>
Subject: [PATCH 4.4 02/25] Bluetooth: refactor malicious adv data check
From: Brian Gix <brian.gix@...el.com>
commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream.
Check for out-of-bound read was being performed at the end of while
num_reports loop, and would fill journal with false positives. Added
check to beginning of loop processing so that it doesn't get checked
after ptr has been advanced.
Signed-off-by: Brian Gix <brian.gix@...el.com>
Signed-off-by: Marcel Holtmann <marcel@...tmann.org>
Cc: syphyr <syphyr@...il.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
net/bluetooth/hci_event.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4940,6 +4940,11 @@ static void hci_le_adv_report_evt(struct
struct hci_ev_le_advertising_info *ev = ptr;
s8 rssi;
+ if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {
+ bt_dev_err(hdev, "Malicious advertising data.");
+ break;
+ }
+
if (ev->length <= HCI_MAX_AD_LENGTH &&
ev->data + ev->length <= skb_tail_pointer(skb)) {
rssi = ev->data[ev->length];
@@ -4951,11 +4956,6 @@ static void hci_le_adv_report_evt(struct
}
ptr += sizeof(*ev) + ev->length + 1;
-
- if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
- bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
- break;
- }
}
hci_dev_unlock(hdev);
Powered by blists - more mailing lists