projects / linux-2.6-microblaze.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: aadc3d2)
Bluetooth: HCI: Use skb_pull_data to parse Inquiry Result event
authorLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Wed, 1 Dec 2021 18:54:56 +0000 (10:54 -0800)
committerMarcel Holtmann <marcel@holtmann.org>
Tue, 7 Dec 2021 16:05:50 +0000 (17:05 +0100)
This uses skb_pull_data to check the Inquiry Result events received
have the minimum required length.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
include/net/bluetooth/hci.h patch | blob | history
net/bluetooth/hci_event.c patch | blob | history

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index 3f57fd6..55466bf 100644 (file)
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -2028,6 +2028,11 @@ struct inquiry_info {
        __le16   clock_offset;
 } __packed;
 
+struct hci_ev_inquiry_result {
+       __u8    num;
+       struct inquiry_info info[];
+};
+
 #define HCI_EV_CONN_COMPLETE           0x03
 struct hci_ev_conn_complete {
        __u8     status;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index b27a4ad..0bf062f 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3180,13 +3180,21 @@ unlock:
 
 static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
+       struct hci_ev_inquiry_result *ev;
        struct inquiry_data data;
-       struct inquiry_info *info = (void *) (skb->data + 1);
-       int num_rsp = *((__u8 *) skb->data);
+       int i;
 
-       BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+       ev = hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT, sizeof(*ev));
+       if (!ev)
+               return;
 
-       if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+       if (!hci_ev_skb_pull(hdev, skb, HCI_EV_INQUIRY_RESULT,
+                            flex_array_size(ev, info, ev->num)))
+               return;
+
+       BT_DBG("%s num %d", hdev->name, ev->num);
+
+       if (!ev->num)
                return;
 
        if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
@@ -3194,7 +3202,8 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
        hci_dev_lock(hdev);
 
-       for (; num_rsp; num_rsp--, info++) {
+       for (i = 0; i < ev->num; i++) {
+               struct inquiry_info *info = &ev->info[i];
                u32 flags;
 
                bacpy(&data.bdaddr, &info->bdaddr);
MicroBlaze GIT Repository