bluetooth: Validate socket address length in sco_sock_bind().

[ Upstream commit 5233252f ] Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

bluetooth: Validate socket address length in sco_sock_bind().
[ Upstream commit 5233252f ] Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
56619856 · David S. Miller · Sasha Levin · 652ed6f6 · 56619856
Commit 56619856 authored Dec 15, 2015 by David S. Miller Committed by Sasha Levin Jan 15, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

net/bluetooth/sco.c net/bluetooth/sco.c +3 -0

No files found.
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -520,6 +520,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int addr_le
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
+	if (addr_len < sizeof(struct sockaddr_sco))
+		return -EINVAL;
 	lock_sock(sk);
 	if (sk->sk_state != BT_OPEN) {