Bluetooth: RFCOMM: pull credit byte with skb_pull_data()

rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.

After the header has been stripped, the PF/CFC path consumes that byte
with a direct skb->data dereference followed by skb_pull(). A malformed
short frame can reach this path without a byte available.

Use skb_pull_data() so the length check and pull happen together before
the returned credit byte is consumed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151ecf815b2d42de57cfbc284aa8df25..d11bd5337d573ee452804a566bea12daf5f6ece6 100644 (file)
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,9 +1715,12 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
        }
 
        if (pf && d->cfc) {
-               u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
+               u8 *credits = skb_pull_data(skb, 1);
 
-               d->tx_credits += credits;
+               if (!credits)
+                       goto drop;
+
+               d->tx_credits += *credits;
                if (d->tx_credits)
                        clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
        }