Bluetooth: Prevent buffer overflow for large advertisement data

There are some controllers sending out advertising data with illegal
length value which is longer than HCI_MAX_AD_LENGTH, causing the
buffer last_adv_data overflows. To avoid these controllers from
overflowing the buffer, we do not process the advertisement data
if its length is incorrect.

Signed-off-by: Chriz Chow <chriz.chow@aminocom.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 139707cd9d352c9c76302b58c40b3148de33d051..235b5aaab23de901b17b107e7234dfcf0d67d903 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4942,10 +4942,14 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
                struct hci_ev_le_advertising_info *ev = ptr;
                s8 rssi;
 
-               rssi = ev->data[ev->length];
-               process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
-                                  ev->bdaddr_type, NULL, 0, rssi,
-                                  ev->data, ev->length);
+               if (ev->length <= HCI_MAX_AD_LENGTH) {
+                       rssi = ev->data[ev->length];
+                       process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+                                          ev->bdaddr_type, NULL, 0, rssi,
+                                          ev->data, ev->length);
+               } else {
+                       bt_dev_err(hdev, "Dropping invalid advertising data");
+               }
 
                ptr += sizeof(*ev) + ev->length + 1;
        }