From: Brian Gix Date: Wed, 24 Nov 2021 20:16:28 +0000 (-0800) Subject: Bluetooth: refactor malicious adv data check X-Git-Tag: v4.19.228~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8819f93cd4a443dfe547aa622b21f723757df3fb;p=thirdparty%2Fkernel%2Fstable.git Bluetooth: refactor malicious adv data check commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream. Check for out-of-bound read was being performed at the end of while num_reports loop, and would fill journal with false positives. Added check to beginning of loop processing so that it doesn't get checked after ptr has been advanced. Signed-off-by: Brian Gix Signed-off-by: Marcel Holtmann Cc: syphyr Signed-off-by: Greg Kroah-Hartman --- diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index c0dbb8ad00376..196d0d8320070 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -5391,6 +5391,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; + if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data."); + break; + } + if (ev->length <= HCI_MAX_AD_LENGTH && ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; @@ -5402,11 +5407,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; - - if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { - bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); - break; - } } hci_dev_unlock(hdev);