Skip to content

Commit 855a93a

Browse files
peilin-yegregkh
authored andcommitted
Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
commit 75bbd2e upstream. Check `num_rsp` before using it as for-loop counter. Cc: [email protected] Signed-off-by: Peilin Ye <[email protected]> Signed-off-by: Marcel Holtmann <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent aea7791 commit 855a93a

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

net/bluetooth/hci_event.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2094,7 +2094,7 @@ static void hci_inquiry_result_evt(struct hci_dev *hdev, struct sk_buff *skb)
20942094

20952095
BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
20962096

2097-
if (!num_rsp)
2097+
if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
20982098
return;
20992099

21002100
if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))

0 commit comments

Comments
 (0)