Bluetooth: HCI: Use skb_pull_data to parse Extended Inquiry Result event

This uses skb_pull_data to check the Extended Inquiry Result events
received have the minimum required length.

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h
index d25afd92a46e0974ebcc08d50fe2d50d756d7ab0..9e721e6efef303968dd9405a8c8107ae6b781feb 100644 (file)
--- a/include/net/bluetooth/hci.h
+++ b/include/net/bluetooth/hci.h
@@ -2273,6 +2273,11 @@ struct extended_inquiry_info {
        __u8     data[240];
 } __packed;
 
+struct hci_ev_ext_inquiry_result {
+       __u8     num;
+       struct extended_inquiry_info info[];
+} __packed;
+
 #define HCI_EV_KEY_REFRESH_COMPLETE    0x30
 struct hci_ev_key_refresh_complete {
        __u8    status;

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 6560dca8c5ce5e7b93eec6b7eddbc89bd7268637..89c263c1883f5211925114ff186fd7c1459df544 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5186,14 +5186,23 @@ static inline size_t eir_get_length(u8 *eir, size_t eir_len)
 static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
                                            struct sk_buff *skb)
 {
+       struct hci_ev_ext_inquiry_result *ev;
        struct inquiry_data data;
-       struct extended_inquiry_info *info = (void *) (skb->data + 1);
-       int num_rsp = *((__u8 *) skb->data);
        size_t eir_len;
+       int i;
 
-       BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+       ev = hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
+                            sizeof(*ev));
+       if (!ev)
+               return;
 
-       if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+       if (!hci_ev_skb_pull(hdev, skb, HCI_EV_EXTENDED_INQUIRY_RESULT,
+                            flex_array_size(ev, info, ev->num)))
+               return;
+
+       BT_DBG("%s num %d", hdev->name, ev->num);
+
+       if (!ev->num)
                return;
 
        if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
@@ -5201,7 +5210,8 @@ static void hci_extended_inquiry_result_evt(struct hci_dev *hdev,
 
        hci_dev_lock(hdev);
 
-       for (; num_rsp; num_rsp--, info++) {
+       for (i = 0; i < ev->num; i++) {
+               struct extended_inquiry_info *info = &ev->info[i];
                u32 flags;
                bool name_known;