Commit 2296bb5b authored by David S. Miller's avatar David S. Miller Committed by Luis Henriques

bluetooth: Validate socket address length in sco_sock_bind().

commit 5233252f upstream.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
parent 485724cd
...@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le ...@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
if (!addr || addr->sa_family != AF_BLUETOOTH) if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL; return -EINVAL;
if (addr_len < sizeof(struct sockaddr_sco))
return -EINVAL;
lock_sock(sk); lock_sock(sk);
if (sk->sk_state != BT_OPEN) { if (sk->sk_state != BT_OPEN) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment