Commit 4178ba46 authored by Gustavo F. Padovan's avatar Gustavo F. Padovan Committed by Marcel Holtmann

Bluetooth: Prevents buffer overflow on l2cap_ertm_reassembly_sdu()

The checks should be done before the the memcpy to avoid buffer
overflow.
Reported-by: default avatarJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent dfc909be
...@@ -3470,12 +3470,12 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c ...@@ -3470,12 +3470,12 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
if (!pi->sdu) if (!pi->sdu)
goto disconnect; goto disconnect;
memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
pi->partial_sdu_len += skb->len; pi->partial_sdu_len += skb->len;
if (pi->partial_sdu_len > pi->sdu_len) if (pi->partial_sdu_len > pi->sdu_len)
goto drop; goto drop;
memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
break; break;
case L2CAP_SDU_END: case L2CAP_SDU_END:
...@@ -3486,8 +3486,6 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c ...@@ -3486,8 +3486,6 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
goto disconnect; goto disconnect;
if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) { if (!(pi->conn_state & L2CAP_CONN_SAR_RETRY)) {
memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
pi->partial_sdu_len += skb->len; pi->partial_sdu_len += skb->len;
if (pi->partial_sdu_len > pi->imtu) if (pi->partial_sdu_len > pi->imtu)
...@@ -3495,6 +3493,8 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c ...@@ -3495,6 +3493,8 @@ static int l2cap_ertm_reassembly_sdu(struct sock *sk, struct sk_buff *skb, u16 c
if (pi->partial_sdu_len != pi->sdu_len) if (pi->partial_sdu_len != pi->sdu_len)
goto drop; goto drop;
memcpy(skb_put(pi->sdu, skb->len), skb->data, skb->len);
} }
_skb = skb_clone(pi->sdu, GFP_ATOMIC); _skb = skb_clone(pi->sdu, GFP_ATOMIC);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment