Commit b48b833f authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Marcel Holtmann

Bluetooth: HCI: Use skb_pull_data to parse LE Ext Advertising Report event

This uses skb_pull_data to check the LE Extended Advertising Report
events received have the minimum required length.
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 47afe93c
...@@ -2517,8 +2517,8 @@ struct hci_ev_le_phy_update_complete { ...@@ -2517,8 +2517,8 @@ struct hci_ev_le_phy_update_complete {
} __packed; } __packed;
#define HCI_EV_LE_EXT_ADV_REPORT 0x0d #define HCI_EV_LE_EXT_ADV_REPORT 0x0d
struct hci_ev_le_ext_adv_report { struct hci_ev_le_ext_adv_info {
__le16 evt_type; __le16 type;
__u8 bdaddr_type; __u8 bdaddr_type;
bdaddr_t bdaddr; bdaddr_t bdaddr;
__u8 primary_phy; __u8 primary_phy;
...@@ -2533,6 +2533,11 @@ struct hci_ev_le_ext_adv_report { ...@@ -2533,6 +2533,11 @@ struct hci_ev_le_ext_adv_report {
__u8 data[]; __u8 data[];
} __packed; } __packed;
struct hci_ev_le_ext_adv_report {
__u8 num;
struct hci_ev_le_ext_adv_info info[];
} __packed;
#define HCI_EV_LE_ENHANCED_CONN_COMPLETE 0x0a #define HCI_EV_LE_ENHANCED_CONN_COMPLETE 0x0a
struct hci_ev_le_enh_conn_complete { struct hci_ev_le_enh_conn_complete {
__u8 status; __u8 status;
......
...@@ -6649,26 +6649,40 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type) ...@@ -6649,26 +6649,40 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
{ {
u8 num_reports = skb->data[0]; struct hci_ev_le_ext_adv_report *ev;
void *ptr = &skb->data[1];
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
sizeof(*ev));
if (!ev)
return;
if (!ev->num)
return;
hci_dev_lock(hdev); hci_dev_lock(hdev);
while (num_reports--) { while (ev->num--) {
struct hci_ev_le_ext_adv_report *ev = ptr; struct hci_ev_le_ext_adv_info *info;
u8 legacy_evt_type; u8 legacy_evt_type;
u16 evt_type; u16 evt_type;
evt_type = __le16_to_cpu(ev->evt_type); info = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
sizeof(*info));
if (!info)
break;
if (!hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
info->length))
break;
evt_type = __le16_to_cpu(info->type);
legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type); legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
if (legacy_evt_type != LE_ADV_INVALID) { if (legacy_evt_type != LE_ADV_INVALID) {
process_adv_report(hdev, legacy_evt_type, &ev->bdaddr, process_adv_report(hdev, legacy_evt_type, &info->bdaddr,
ev->bdaddr_type, NULL, 0, ev->rssi, info->bdaddr_type, NULL, 0,
ev->data, ev->length, info->rssi, info->data, info->length,
!(evt_type & LE_EXT_ADV_LEGACY_PDU)); !(evt_type & LE_EXT_ADV_LEGACY_PDU));
} }
ptr += sizeof(*ev) + ev->length;
} }
hci_dev_unlock(hdev); hci_dev_unlock(hdev);
...@@ -7019,7 +7033,7 @@ static void hci_store_wake_reason(struct hci_dev *hdev, u8 event, ...@@ -7019,7 +7033,7 @@ static void hci_store_wake_reason(struct hci_dev *hdev, u8 event,
{ {
struct hci_ev_le_advertising_info *adv; struct hci_ev_le_advertising_info *adv;
struct hci_ev_le_direct_adv_info *direct_adv; struct hci_ev_le_direct_adv_info *direct_adv;
struct hci_ev_le_ext_adv_report *ext_adv; struct hci_ev_le_ext_adv_info *ext_adv;
const struct hci_ev_conn_complete *conn_complete = (void *)skb->data; const struct hci_ev_conn_complete *conn_complete = (void *)skb->data;
const struct hci_ev_conn_request *conn_request = (void *)skb->data; const struct hci_ev_conn_request *conn_request = (void *)skb->data;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment