Bluetooth: Fix NULL pointer deference on eir_get_service_data

The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.

Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
index 1bc51e2b05a3474b12b25e7f396d3475cd6944dd..3e1713673ecc93403d662238fcc13ad7a9e834e1 100644 (file)
--- a/net/bluetooth/eir.c
+++ b/net/bluetooth/eir.c
@@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr)
 
 void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len)
 {
-       while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) {
+       size_t dlen;
+
+       while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) {
                u16 value = get_unaligned_le16(eir);
 
                if (uuid == value) {
                        if (len)
-                               *len -= 2;
+                               *len = dlen - 2;
                        return &eir[2];
                }
 
-               eir += *len;
-               eir_len -= *len;
+               eir += dlen;
+               eir_len -= dlen;
        }
 
        return NULL;