Bluetooth: Fix potential buffer overflow with Add Advertising

[firefly-linux-kernel-4.4.55.git] / net / bluetooth / mgmt.c

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 7f22119276f391067b424da490e1c667d7a6272b..b1b0a1c0bd8d3faf75a6ff5de00931b163fcac66 100644 (file)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -7155,6 +7155,10 @@ static int add_advertising(struct sock *sk, struct hci_dev *hdev,
                return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
                                       status);
 
+       if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
+               return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
+                                      MGMT_STATUS_INVALID_PARAMS);
+
        flags = __le32_to_cpu(cp->flags);
        timeout = __le16_to_cpu(cp->timeout);
        duration = __le16_to_cpu(cp->duration);