diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2013-10-03 01:23:08 -0700 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2013-10-03 13:06:41 +0300 |
commit | 92381f5cd72b3fb415efe2406ad9fa462a223151 (patch) | |
tree | 9ff3ad9e3d7b2d746baab526e02385a031a7caf8 | |
parent | b99707d7ee887f9df8b3f7cf75e1e9dbf3206df3 (diff) | |
download | linux-92381f5cd72b3fb415efe2406ad9fa462a223151.tar.bz2 |
Bluetooth: Check minimum length of SMP packets
When SMP packets are received, make sure they contain at least 1 byte
header for the opcode. If not, drop the packet and disconnect the link.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
-rw-r--r-- | net/bluetooth/smp.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 6e0494971db1..884b2081a262 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -848,8 +848,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) { struct hci_conn *hcon = conn->hcon; - __u8 code = skb->data[0]; - __u8 reason; + __u8 code, reason; int err = 0; if (hcon->type != LE_LINK) { @@ -857,12 +856,18 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) return -ENOTSUPP; } + if (skb->len < 1) { + kfree_skb(skb); + return -EILSEQ; + } + if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) { err = -ENOTSUPP; reason = SMP_PAIRING_NOTSUPP; goto done; } + code = skb->data[0]; skb_pull(skb, sizeof(code)); /* |