Bluetooth: hci_core: Fix not checking skb length on hci_scodata_packet

This fixes not checking if skb really contains an SCO header otherwise the code may attempt to access some uninitilized/invalid memory past the valid skb->data. Signed-off-by: Luiz Augusto von Dentz <[email protected]>
amazonlinux · Nov 14, 2024 · 59437cb · 59437cb
1 parent 3fe288a
commit 59437cb
Showing 1 changed file with 9 additions and 4 deletions.
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
@@ -3814,18 +3814,22 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
 /* SCO data packet */
 static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
 {
-	struct hci_sco_hdr *hdr = (void *) skb->data;
+	struct hci_sco_hdr *hdr;
 	struct hci_conn *conn;
 	__u16 handle, flags;
 
-	skb_pull(skb, HCI_SCO_HDR_SIZE);
+	hdr = skb_pull_data(skb, sizeof(*hdr));
+	if (!hdr) {
+		bt_dev_err(hdev, "SCO packet too small");
+		goto drop;
+	}
 
 	handle = __le16_to_cpu(hdr->handle);
 	flags  = hci_flags(handle);
 	handle = hci_handle(handle);
 
-	BT_DBG("%s len %d handle 0x%4.4x flags 0x%4.4x", hdev->name, skb->len,
-	       handle, flags);
+	bt_dev_dbg(hdev, "len %d handle 0x%4.4x flags 0x%4.4x", skb->len,
+		   handle, flags);
 
 	hdev->stat.sco_rx++;
 
@@ -3843,6 +3847,7 @@ static void hci_scodata_packet(struct hci_dev *hdev, struct sk_buff *skb)
 				       handle);
 	}
 
+drop:
 	kfree_skb(skb);
 }