diff options
| author | Greg Kroah-Hartman <gregkh@google.com> | 2022-02-03 10:00:04 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@google.com> | 2022-02-03 10:00:04 +0100 |
| commit | 875c0cc8115381f702b12d41de293807f47cdac9 (patch) | |
| tree | 10431bbf56af73e59e2568b7ddd2ef272912fd96 /net/bluetooth/hci_event.c | |
| parent | f9409de296c8aa14f421677325bc741b8256e017 (diff) | |
| parent | a09b2d8f61ea0e9ae735c400399b97966a9418d6 (diff) | |
Merge 4.4.302 into android-4.4-p
Changes in 4.4.302
can: bcm: fix UAF of bcm op
Bluetooth: refactor malicious adv data check
s390/hypfs: include z/VM guests with access control group set
scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices
udf: Restore i_lenAlloc when inode expansion fails
udf: Fix NULL ptr deref when converting from inline format
PM: wakeup: simplify the output logic of pm_show_wakelocks()
serial: stm32: fix software flow control transfer
tty: n_gsm: fix SW flow control encoding/handling
tty: Add support for Brainboxes UC cards.
usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
USB: core: Fix hang in usb_kill_urb by adding memory barriers
scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put()
ipv6_tunnel: Rate limit warning messages
net: fix information leakage in /proc/net/ptype
ipv4: avoid using shared IP generator for connected sockets
net-procfs: show net devices bound packet types
drm/msm: Fix wrong size calculation
hwmon: (lm90) Reduce maximum conversion rate for G781
ipv4: raw: lock the socket in raw_bind()
ipv4: tcp: send zero IPID in SYNACK messages
Bluetooth: MGMT: Fix misplaced BT_HS check
Revert "drm/radeon/ci: disable mclk switching for high refresh rates (v2)"
Revert "tc358743: fix register i2c_rd/wr function fix"
KVM: x86: Fix misplaced backport of "work around leak of uninitialized stack contents"
Input: i8042 - Fix misplaced backport of "add ASUS Zenbook Flip to noselftest list"
Linux 4.4.302
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I5191d3cb4df0fa8de60170d2fedf4a3c51380fdf
Diffstat (limited to 'net/bluetooth/hci_event.c')
| -rw-r--r-- | net/bluetooth/hci_event.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index 05ccd2bcd9e4..a557543ad29f 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4940,6 +4940,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) struct hci_ev_le_advertising_info *ev = ptr; s8 rssi; + if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) { + bt_dev_err(hdev, "Malicious advertising data."); + break; + } + if (ev->length <= HCI_MAX_AD_LENGTH && ev->data + ev->length <= skb_tail_pointer(skb)) { rssi = ev->data[ev->length]; @@ -4951,11 +4956,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) } ptr += sizeof(*ev) + ev->length + 1; - - if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { - bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); - break; - } } hci_dev_unlock(hdev); |