| Message ID | 20210419171257.3865181-4-luiz.dentz@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Bluetooth: HCI: Use skb_pull to parse events | expand |
Hi Luiz, > This uses skb_pull to check the Number of Complete Packets events > received have the minimum required length. > > Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > --- > include/net/bluetooth/hci.h | 2 +- > net/bluetooth/hci_event.c | 20 +++++++++++--------- > 2 files changed, 12 insertions(+), 10 deletions(-) > > diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h > index f1f505355e81..9251ae3a2ce0 100644 > --- a/include/net/bluetooth/hci.h > +++ b/include/net/bluetooth/hci.h > @@ -2021,7 +2021,7 @@ struct hci_comp_pkts_info { > } __packed; > > struct hci_ev_num_comp_pkts { > - __u8 num_hndl; > + __u8 num; > struct hci_comp_pkts_info handles[]; > } __packed; > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index cc2d68389edc..c353dfafb04c 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -4264,23 +4264,25 @@ static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) > > static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) > { > - struct hci_ev_num_comp_pkts *ev = (void *) skb->data; > + struct hci_ev_num_comp_pkts *ev; > int i; > > - if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { > - bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); > + ev = hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, sizeof(*ev)); > + if (!ev) > return; > - } > > - if (skb->len < sizeof(*ev) || > - skb->len < struct_size(ev, handles, ev->num_hndl)) { > - BT_DBG("%s bad parameters", hdev->name); > + if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, > + flex_array_size(ev, handles, ev->num))) > + return; > + > + if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { > + bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); > return; > } > > - BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); > + BT_DBG("%s num %d", hdev->name, ev->num); If you are touching BT_DBG anyway then switch to bt_dev_dbg() please. Regards Marcel
diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h index f1f505355e81..9251ae3a2ce0 100644 --- a/include/net/bluetooth/hci.h +++ b/include/net/bluetooth/hci.h @@ -2021,7 +2021,7 @@ struct hci_comp_pkts_info { } __packed; struct hci_ev_num_comp_pkts { - __u8 num_hndl; + __u8 num; struct hci_comp_pkts_info handles[]; } __packed; diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c index cc2d68389edc..c353dfafb04c 100644 --- a/net/bluetooth/hci_event.c +++ b/net/bluetooth/hci_event.c @@ -4264,23 +4264,25 @@ static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) { - struct hci_ev_num_comp_pkts *ev = (void *) skb->data; + struct hci_ev_num_comp_pkts *ev; int i; - if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { - bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); + ev = hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, sizeof(*ev)); + if (!ev) return; - } - if (skb->len < sizeof(*ev) || - skb->len < struct_size(ev, handles, ev->num_hndl)) { - BT_DBG("%s bad parameters", hdev->name); + if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, + flex_array_size(ev, handles, ev->num))) + return; + + if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { + bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); return; } - BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); + BT_DBG("%s num %d", hdev->name, ev->num); - for (i = 0; i < ev->num_hndl; i++) { + for (i = 0; i < ev->num; i++) { struct hci_comp_pkts_info *info = &ev->handles[i]; struct hci_conn *conn; __u16 handle, count;