diff options
| author |   Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2025-06-05 11:14:25 -0400 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2025-06-11 15:59:07 -0400 |
| commit | 20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb (patch) | |
| tree | a5e134538733856bc1e60f078ea77637862e7bf4 | |
| parent | net/mdiobus: Fix potential out-of-bounds clause 45 read/write access (diff) | |
| download | wireguard-linux-20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb.tar.xz wireguard-linux-20a2aa01f5aeb6daad9aeaa7c33dd512c58d81eb.zip | |
Bluetooth: Fix NULL pointer deference on eir_get_service_data
The len parameter is considered optional so it can be NULL so it cannot
be used for skipping to next entry of EIR_SERVICE_DATA.
Fixes: 8f9ae5b3ae80 ("Bluetooth: eir: Add helpers for managing service data")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
| -rw-r--r-- | net/bluetooth/eir.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c index 1bc51e2b05a3..3e1713673ecc 100644 --- a/net/bluetooth/eir.c +++ b/net/bluetooth/eir.c @@ -366,17 +366,19 @@ u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr) void *eir_get_service_data(u8 *eir, size_t eir_len, u16 uuid, size_t *len) { - while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, len))) { + size_t dlen; + + while ((eir = eir_get_data(eir, eir_len, EIR_SERVICE_DATA, &dlen))) { u16 value = get_unaligned_le16(eir); if (uuid == value) { if (len) - *len -= 2; + *len = dlen - 2; return &eir[2]; } - eir += *len; - eir_len -= *len; + eir += dlen; + eir_len -= dlen; } return NULL; |