diff options
| author |   Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2025-06-10 10:14:35 -0400 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2025-06-11 16:29:22 -0400 |
| commit | 47c03902269aff377f959dc3fd94a9733aa31d6e (patch) | |
| tree | 0f70e4853dfb4b476be1857c8f63ddfa1f332264 /net/bluetooth/hci_sync.c | |
| parent | Bluetooth: hci_sync: Fix broadcast/PA when using an existing instance (diff) | |
| download | wireguard-linux-47c03902269aff377f959dc3fd94a9733aa31d6e.tar.xz wireguard-linux-47c03902269aff377f959dc3fd94a9733aa31d6e.zip | |
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER
without checking if that would fit.
Link: https://github.com/bluez/bluez/issues/1117#issuecomment-2958244066
Fixes: 01ce70b0a274 ("Bluetooth: eir: Move EIR/Adv Data functions to its own file")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to '')
| -rw-r--r-- | net/bluetooth/hci_sync.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 8ba1c3aa7801..83de3847c8ea 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1822,7 +1822,8 @@ static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) return 0; } - len = eir_create_adv_data(hdev, instance, pdu->data); + len = eir_create_adv_data(hdev, instance, pdu->data, + HCI_MAX_EXT_AD_LENGTH); pdu->length = len; pdu->handle = adv ? adv->handle : instance; @@ -1853,7 +1854,7 @@ static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) memset(&cp, 0, sizeof(cp)); - len = eir_create_adv_data(hdev, instance, cp.data); + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); /* There's nothing to do if the data hasn't changed */ if (hdev->adv_data_len == len && |