summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2013-10-03 01:23:08 -0700
committerJohan Hedberg <johan.hedberg@intel.com>2013-10-03 13:06:41 +0300
commit92381f5cd72b3fb415efe2406ad9fa462a223151 (patch)
tree9ff3ad9e3d7b2d746baab526e02385a031a7caf8
parentb99707d7ee887f9df8b3f7cf75e1e9dbf3206df3 (diff)
downloadlinux-92381f5cd72b3fb415efe2406ad9fa462a223151.tar.bz2
Bluetooth: Check minimum length of SMP packets
When SMP packets are received, make sure they contain at least 1 byte header for the opcode. If not, drop the packet and disconnect the link. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
-rw-r--r--net/bluetooth/smp.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 6e0494971db1..884b2081a262 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -848,8 +848,7 @@ static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
{
struct hci_conn *hcon = conn->hcon;
- __u8 code = skb->data[0];
- __u8 reason;
+ __u8 code, reason;
int err = 0;
if (hcon->type != LE_LINK) {
@@ -857,12 +856,18 @@ int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
return -ENOTSUPP;
}
+ if (skb->len < 1) {
+ kfree_skb(skb);
+ return -EILSEQ;
+ }
+
if (!test_bit(HCI_LE_ENABLED, &conn->hcon->hdev->dev_flags)) {
err = -ENOTSUPP;
reason = SMP_PAIRING_NOTSUPP;
goto done;
}
+ code = skb->data[0];
skb_pull(skb, sizeof(code));
/*