--- /dev/null
+From 899663be5e75dc0174dc8bda0b5e6826edf0b29a Mon Sep 17 00:00:00 2001
+From: Brian Gix <brian.gix@intel.com>
+Date: Wed, 24 Nov 2021 12:16:28 -0800
+Subject: Bluetooth: refactor malicious adv data check
+
+From: Brian Gix <brian.gix@intel.com>
+
+commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream.
+
+Check for out-of-bound read was being performed at the end of while
+num_reports loop, and would fill journal with false positives. Added
+check to beginning of loop processing so that it doesn't get checked
+after ptr has been advanced.
+
+Signed-off-by: Brian Gix <brian.gix@intel.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: syphyr <syphyr@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_event.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5506,6 +5506,11 @@ static void hci_le_adv_report_evt(struct
+ struct hci_ev_le_advertising_info *ev = ptr;
+ s8 rssi;
+
++ if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {
++ bt_dev_err(hdev, "Malicious advertising data.");
++ break;
++ }
++
+ if (ev->length <= HCI_MAX_AD_LENGTH &&
+ ev->data + ev->length <= skb_tail_pointer(skb)) {
+ rssi = ev->data[ev->length];
+@@ -5517,11 +5522,6 @@ static void hci_le_adv_report_evt(struct
+ }
+
+ ptr += sizeof(*ev) + ev->length + 1;
+-
+- if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
+- bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
+- break;
+- }
+ }
+
+ hci_dev_unlock(hdev);
projects / thirdparty / kernel / stable-queue.git / commitdiff
