* [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries
@ 2020-10-16 18:09 Luiz Augusto von Dentz
2020-10-16 18:09 ` [PATCH 2/2] Bluetooth: A2MP: Fix not setting request ID Luiz Augusto von Dentz
2020-10-16 18:35 ` [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2020-10-16 18:09 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
When receiving advertisements check if the length is actually within
the skb, this also make use of skb_pull to advance on the skb->data
instead of a custom ptr that way skb->len shall always indicates how
much data is remaining and can be used to perform checks if there is
enough data to parse.
Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/hci_event.c | 72 ++++++++++++++++++++++++++++++---------
1 file changed, 55 insertions(+), 17 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a4c3703f2e94..ae31d227730b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5599,24 +5599,40 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
{
u8 num_reports = skb->data[0];
- void *ptr = &skb->data[1];
hci_dev_lock(hdev);
+ skb_pull(skb, sizeof(num_reports));
+
while (num_reports--) {
- struct hci_ev_le_advertising_info *ev = ptr;
+ struct hci_ev_le_advertising_info *ev;
s8 rssi;
- if (ev->length <= HCI_MAX_AD_LENGTH) {
- rssi = ev->data[ev->length];
- process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
- ev->bdaddr_type, NULL, 0, rssi,
- ev->data, ev->length, false);
- } else {
- bt_dev_err(hdev, "Dropping invalid advertising data");
+ if (skb->len < sizeof(*ev)) {
+ bt_dev_err(hdev, "Malformed advertising report");
+ break;
+ }
+
+ ev = (void *) skb->data;
+ skb_pull(skb, sizeof(*ev));
+
+ if (skb->len < ev->length || ev->length > HCI_MAX_AD_LENGTH) {
+ bt_dev_err(hdev, "Malformed advertising data");
+ break;
}
- ptr += sizeof(*ev) + ev->length + 1;
+ skb_pull(skb, ev->length);
+
+ if (skb->len < sizeof(rssi)) {
+ bt_dev_err(hdev, "Malformed advertising rssi");
+ break;
+ }
+
+ rssi = get_unaligned(skb->data);
+
+ process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
+ ev->bdaddr_type, NULL, 0, rssi,
+ ev->data, ev->length, false);
}
hci_dev_unlock(hdev);
@@ -5669,15 +5685,31 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
{
u8 num_reports = skb->data[0];
- void *ptr = &skb->data[1];
hci_dev_lock(hdev);
+ skb_pull(skb, sizeof(num_reports));
+
while (num_reports--) {
- struct hci_ev_le_ext_adv_report *ev = ptr;
+ struct hci_ev_le_ext_adv_report *ev;
u8 legacy_evt_type;
u16 evt_type;
+ if (skb->len < sizeof(*ev)) {
+ bt_dev_err(hdev, "Malformed ext advertising report");
+ break;
+ }
+
+ ev = (void *) skb->data;
+ skb_pull(skb, sizeof(*ev));
+
+ if (skb->len < ev->length || ev->length > HCI_MAX_AD_LENGTH) {
+ bt_dev_err(hdev, "Malformed ext advertising data");
+ break;
+ }
+
+ skb_pull(skb, ev->length);
+
evt_type = __le16_to_cpu(ev->evt_type);
legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
if (legacy_evt_type != LE_ADV_INVALID) {
@@ -5687,7 +5719,6 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
!(evt_type & LE_EXT_ADV_LEGACY_PDU));
}
- ptr += sizeof(*ev) + ev->length;
}
hci_dev_unlock(hdev);
@@ -5873,19 +5904,26 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
struct sk_buff *skb)
{
u8 num_reports = skb->data[0];
- void *ptr = &skb->data[1];
hci_dev_lock(hdev);
+ skb_pull(skb, sizeof(num_reports));
+
while (num_reports--) {
- struct hci_ev_le_direct_adv_info *ev = ptr;
+ struct hci_ev_le_direct_adv_info *ev;
+
+ if (skb->len < sizeof(*ev)) {
+ bt_dev_err(hdev, "Malformed direct advertising");
+ break;
+ }
+
+ ev = (void *) skb->data;
+ skb_pull(skb, sizeof(*ev));
process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
ev->bdaddr_type, &ev->direct_addr,
ev->direct_addr_type, ev->rssi, NULL, 0,
false);
-
- ptr += sizeof(*ev);
}
hci_dev_unlock(hdev);
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH 2/2] Bluetooth: A2MP: Fix not setting request ID
2020-10-16 18:09 [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
@ 2020-10-16 18:09 ` Luiz Augusto von Dentz
2020-10-16 18:35 ` [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2020-10-16 18:09 UTC (permalink / raw)
To: linux-bluetooth
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This fixes not resetting of the request ID when sending
A2MP_GETAMPASSOC_RSP.
Fixes: Bluetooth: A2MP: Fix not initializing all members
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
net/bluetooth/a2mp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
index da7fd7c8c2dc..7a1e0b785f45 100644
--- a/net/bluetooth/a2mp.c
+++ b/net/bluetooth/a2mp.c
@@ -381,10 +381,11 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb,
hdev = hci_dev_get(req->id);
if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) {
struct a2mp_amp_assoc_rsp rsp;
- rsp.id = req->id;
memset(&rsp, 0, sizeof(rsp));
+ rsp.id = req->id;
+
if (tmp) {
rsp.status = A2MP_STATUS_COLLISION_OCCURED;
amp_mgr_put(tmp);
--
2.26.2
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries
2020-10-16 18:09 [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
2020-10-16 18:09 ` [PATCH 2/2] Bluetooth: A2MP: Fix not setting request ID Luiz Augusto von Dentz
@ 2020-10-16 18:35 ` Luiz Augusto von Dentz
1 sibling, 0 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2020-10-16 18:35 UTC (permalink / raw)
To: linux-bluetooth
Cc: Andy Nguyen, Linus Torvalds, Balakrishna Godavarthi,
Alain Michaud, Sonny Sasaka, Marcel Holtmann
Hi,
Im CC you guys since you appear in the original fix, if you can please
tests the following patch with the malformed advertisement or let me
know how you were able to generate it I would appreciate it.
On Fri, Oct 16, 2020 at 11:09 AM Luiz Augusto von Dentz
<luiz.dentz@gmail.com> wrote:
>
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> When receiving advertisements check if the length is actually within
> the skb, this also make use of skb_pull to advance on the skb->data
> instead of a custom ptr that way skb->len shall always indicates how
> much data is remaining and can be used to perform checks if there is
> enough data to parse.
>
> Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> net/bluetooth/hci_event.c | 72 ++++++++++++++++++++++++++++++---------
> 1 file changed, 55 insertions(+), 17 deletions(-)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index a4c3703f2e94..ae31d227730b 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -5599,24 +5599,40 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
> static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
> {
> u8 num_reports = skb->data[0];
> - void *ptr = &skb->data[1];
>
> hci_dev_lock(hdev);
>
> + skb_pull(skb, sizeof(num_reports));
> +
> while (num_reports--) {
> - struct hci_ev_le_advertising_info *ev = ptr;
> + struct hci_ev_le_advertising_info *ev;
> s8 rssi;
>
> - if (ev->length <= HCI_MAX_AD_LENGTH) {
> - rssi = ev->data[ev->length];
> - process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
> - ev->bdaddr_type, NULL, 0, rssi,
> - ev->data, ev->length, false);
> - } else {
> - bt_dev_err(hdev, "Dropping invalid advertising data");
> + if (skb->len < sizeof(*ev)) {
> + bt_dev_err(hdev, "Malformed advertising report");
> + break;
> + }
> +
> + ev = (void *) skb->data;
> + skb_pull(skb, sizeof(*ev));
> +
> + if (skb->len < ev->length || ev->length > HCI_MAX_AD_LENGTH) {
> + bt_dev_err(hdev, "Malformed advertising data");
> + break;
> }
>
> - ptr += sizeof(*ev) + ev->length + 1;
> + skb_pull(skb, ev->length);
> +
> + if (skb->len < sizeof(rssi)) {
> + bt_dev_err(hdev, "Malformed advertising rssi");
> + break;
> + }
> +
> + rssi = get_unaligned(skb->data);
> +
> + process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
> + ev->bdaddr_type, NULL, 0, rssi,
> + ev->data, ev->length, false);
> }
>
> hci_dev_unlock(hdev);
> @@ -5669,15 +5685,31 @@ static u8 ext_evt_type_to_legacy(struct hci_dev *hdev, u16 evt_type)
> static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
> {
> u8 num_reports = skb->data[0];
> - void *ptr = &skb->data[1];
>
> hci_dev_lock(hdev);
>
> + skb_pull(skb, sizeof(num_reports));
> +
> while (num_reports--) {
> - struct hci_ev_le_ext_adv_report *ev = ptr;
> + struct hci_ev_le_ext_adv_report *ev;
> u8 legacy_evt_type;
> u16 evt_type;
>
> + if (skb->len < sizeof(*ev)) {
> + bt_dev_err(hdev, "Malformed ext advertising report");
> + break;
> + }
> +
> + ev = (void *) skb->data;
> + skb_pull(skb, sizeof(*ev));
> +
> + if (skb->len < ev->length || ev->length > HCI_MAX_AD_LENGTH) {
> + bt_dev_err(hdev, "Malformed ext advertising data");
> + break;
> + }
> +
> + skb_pull(skb, ev->length);
> +
> evt_type = __le16_to_cpu(ev->evt_type);
> legacy_evt_type = ext_evt_type_to_legacy(hdev, evt_type);
> if (legacy_evt_type != LE_ADV_INVALID) {
> @@ -5687,7 +5719,6 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
> !(evt_type & LE_EXT_ADV_LEGACY_PDU));
> }
>
> - ptr += sizeof(*ev) + ev->length;
> }
>
> hci_dev_unlock(hdev);
> @@ -5873,19 +5904,26 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
> struct sk_buff *skb)
> {
> u8 num_reports = skb->data[0];
> - void *ptr = &skb->data[1];
>
> hci_dev_lock(hdev);
>
> + skb_pull(skb, sizeof(num_reports));
> +
> while (num_reports--) {
> - struct hci_ev_le_direct_adv_info *ev = ptr;
> + struct hci_ev_le_direct_adv_info *ev;
> +
> + if (skb->len < sizeof(*ev)) {
> + bt_dev_err(hdev, "Malformed direct advertising");
> + break;
> + }
> +
> + ev = (void *) skb->data;
> + skb_pull(skb, sizeof(*ev));
>
> process_adv_report(hdev, ev->evt_type, &ev->bdaddr,
> ev->bdaddr_type, &ev->direct_addr,
> ev->direct_addr_type, ev->rssi, NULL, 0,
> false);
> -
> - ptr += sizeof(*ev);
> }
>
> hci_dev_unlock(hdev);
> --
> 2.26.2
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-10-16 18:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-16 18:09 [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
2020-10-16 18:09 ` [PATCH 2/2] Bluetooth: A2MP: Fix not setting request ID Luiz Augusto von Dentz
2020-10-16 18:35 ` [PATCH 1/2] Bluetooth: Fix not checking advertisement bondaries Luiz Augusto von Dentz
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).