Bluetooth: Check for minimum data length in eir_has_data_type()

If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>

Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be true and cause a buffer overflow. In practice we need at least two bytes for the element length and type so add a test for it to the very beginning of the function. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Johan Hedberg · Gustavo Padovan
1 parent 84d9d0716b
Showing 1 changed file with 3 additions and 0 deletions Side-by-side Diff
include/net/bluetooth/hci_core.h
@@ -909,6 +909,9 @@
 {
 	size_t parsed = 0;
  
+	if (data_len < 2)
+		return false;
+
 	while (parsed < data_len - 1) {
 		u8 field_len = data[0];
...	...	@@ -909,6 +909,9 @@
909	909	{
910	910	size_t parsed = 0;
911	911
	912	+ if (data_len < 2)
	913	+ return false;
	914	+
912	915	while (parsed < data_len - 1) {
913	916	u8 field_len = data[0];
914	917