CVS: The file 'linux/drivers/char/bluetooth/hci.c' has been modified.

[Gordon M. <gm...@us...>]

The following file was modified in linux/drivers/char/bluetooth:

Name            Old version     New version     Comment
----            -----------     -----------     -------
hci.c           1.137           1.138=20=20=20=20=20=20=20=20=20=20=20

The accompanying log:

Added some checks to make sure we don't write beyond the end of some of our=
 buffers due to bad length field values.


The diff of the modified file(s):

--- hci.c	2001/04/12 15:13:01	1.137
+++ hci.c	2001/04/17 07:03:27	1.138
@@ -409,6 +409,21 @@
 			event_len =3D *buf;
 			buf +=3D 1;
 			count -=3D 1;
+
+			/* If we don't check this and the lower level driver
+			   gives us some trashed values then we might write
+			   beyond the end of our event buffer in a memcpy=20
+			   below.
+			   --gmcnutt
+			 */
+			if (event_len > sizeof(event_buf)) {
+				D_ERR(__FUNCTION__ ": %d is too big for our "\
+				      "event buffer -- discarding buffer\n",
+				      event_len);
+				state =3D WAIT_FOR_PACKET_TYPE;
+				return;
+			}
+
 			if (event_len <=3D count) {
 				process_event(buf, event_len, event_type);
 				buf +=3D event_len;
@@ -450,6 +465,19 @@
 				pb_flag =3D (((u32) hdr[1]) & 0x30) >> 4;
 				bc_flag =3D (((u32) hdr[1]) & 0xc0) >> 6;
 				data_len =3D CHAR2INT16(hdr[3],hdr[2]);
+
+				/* Check the length to make sure we won't=20
+				   overrun in_buf->buf_ptr in a memcpy later.
+				   --gmcnutt
+				 */
+				if (data_len > HCI_IN_SIZE) {
+					D_ERR(__FUNCTION__ ": %d is too big "\
+					      "for our HCI input buffers -- "\
+					      "discarding buffer\n",
+					      data_len);
+					state =3D WAIT_FOR_PACKET_TYPE;
+					return;
+				}
=20
 				if (pb_flag =3D=3D L2CAP_FRAME_START) {
 					D_REC(__FUNCTION__", new frame\n");