Bluetooth: stop proccessing malicious adv data

author Pavel Skripkin <paskripkin@gmail.com>

Mon, 1 Nov 2021 07:12:12 +0000 (10:12 +0300)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Thu, 27 Jan 2022 10:03:11 +0000 (11:03 +0100)
author Pavel Skripkin <paskripkin@gmail.com>
Mon, 1 Nov 2021 07:12:12 +0000 (10:12 +0300)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 27 Jan 2022 10:03:11 +0000 (11:03 +0100)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c

index 0bca035bf2dcc20340b228419b6c7d67a43c8952..50d1d62c15ec8053db8a28db413a58cc437f02e7 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5780,7 +5780,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 struct hci_ev_le_advertising_info *ev = ptr;
                 s8 rssi;
  
-               if (ev->length <= HCI_MAX_AD_LENGTH) {
+               if (ev->length <= HCI_MAX_AD_LENGTH &&
+                   ev->data + ev->length <= skb_tail_pointer(skb)) {
                         rssi = ev->data[ev->length];
                         process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
                                            ev->bdaddr_type, NULL, 0, rssi,
@@ -5790,6 +5791,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
                 }
  
                 ptr += sizeof(*ev) + ev->length + 1;
+
+               if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
+                       bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
+                       break;
+               }
         }
  
         hci_dev_unlock(hdev);
author	Pavel Skripkin <paskripkin@gmail.com>
	Mon, 1 Nov 2021 07:12:12 +0000 (10:12 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 27 Jan 2022 10:03:11 +0000 (11:03 +0100)