Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt() - kernel

diff options

author	Peilin Ye <[email protected]>	2020-07-10 16:09:15 +0000
committer	Marcel Holtmann <[email protected]>	2020-07-10 17:08:32 +0000
commit	51c19bf3d5cfaa66571e4b88ba2a6f6295311101 (patch)
tree	6cf9d3177bc98e38e12a72ebce4ebb141923fc14 /net/bluetooth/l2cap_sock.c
parent	Bluetooth: Use whitelist for scan policy when suspending (diff)
download	kernel-51c19bf3d5cfaa66571e4b88ba2a6f6295311101.tar.gz kernel-51c19bf3d5cfaa66571e4b88ba2a6f6295311101.zip

Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()

Check upon `num_rsp` is insufficient. A malformed event packet with a large `num_rsp` number makes hci_extended_inquiry_result_evt() go out of bounds. Fix it. This patch fixes the following syzbot bug: https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2 Reported-by: [email protected] Cc: [email protected] Signed-off-by: Peilin Ye <[email protected]> Acked-by: Greg Kroah-Hartman <[email protected]> Signed-off-by: Marcel Holtmann <[email protected]>

Diffstat (limited to 'net/bluetooth/l2cap_sock.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: