>From c868a2f2533bb05873fedcde6bc4ca174f8908ea Mon Sep 17 00:00:00 2001 From: Pavel Skripkin Date: Mon, 16 Aug 2021 22:52:29 +0300 Subject: [PATCH] Bluetooth: add timeout sanity check to hci_inquiry /* ... */ Signed-off-by: Pavel Skripkin --- include/net/bluetooth/hci_sock.h | 1 + net/bluetooth/hci_core.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/include/net/bluetooth/hci_sock.h b/include/net/bluetooth/hci_sock.h index 9949870f7d78..1cd63d4da00b 100644 --- a/include/net/bluetooth/hci_sock.h +++ b/include/net/bluetooth/hci_sock.h @@ -168,6 +168,7 @@ struct hci_inquiry_req { __u16 dev_id; __u16 flags; __u8 lap[3]; +#define HCI_INQUIRY_MAX_TIMEOUT 30 __u8 length; __u8 num_rsp; }; diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index e1a545c8a69f..cd00bcd2faef 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -1343,6 +1343,11 @@ int hci_inquiry(void __user *arg) goto done; } + if (ir.length > HCI_MAX_TIMEOUT) { + err = -EINVAL; + goto done; + } + hci_dev_lock(hdev); if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { -- 2.32.0