diff options
| author | Johan Hovold <johan+linaro@kernel.org> | 2024-05-01 15:34:53 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-05-17 12:56:22 +0300 |
| commit | bcccdc947d2ca5972b1e92d0dea10803ddc08ceb (patch) | |
| tree | 14539c6dd72bbb821fe4899e2e7e15e546bb9b4a | |
| parent | 29a475688aebe47f23a94d6cbfd320311a368f65 (diff) | |
| download | linux-bcccdc947d2ca5972b1e92d0dea10803ddc08ceb.tar.xz | |
Bluetooth: qca: fix info leak when fetching board id
commit 0adcf6be1445ed50bfd4a451a7a782568f270197 upstream.
Add the missing sanity check when fetching the board id to avoid leaking
slab data when later requesting the firmware.
Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066")
Cc: stable@vger.kernel.org # 6.7
Cc: Tim Jiang <quic_tjiang@quicinc.com>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/bluetooth/btqca.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c index a09b2fe6fff1..04cb4ce48aa4 100644 --- a/drivers/bluetooth/btqca.c +++ b/drivers/bluetooth/btqca.c @@ -235,6 +235,11 @@ static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid) goto out; } + if (skb->len < 3) { + err = -EILSEQ; + goto out; + } + *bid = (edl->data[1] << 8) + edl->data[2]; bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid); |