Bluetooth: ISO: Fix memory corruption

The following memory corruption can happen since iso_pinfo.base size
did not account for its headers (4 bytes):

net/bluetooth/eir.c
    76          memcpy(&eir[eir_len], data, data_len);
                            ^^^^^^^         ^^^^^^^^
    77          eir_len += data_len;
    78
    79          return eir_len;
    80  }

The "eir" buffer has 252 bytes and data_len is 252 but we do a memcpy()
to &eir[4] so this can corrupt 4 bytes beyond the end of the buffer.

Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index dded22cde0d175be2ac8496c177094c39b1a2c5b..70c2dd30cb136b14e4278c89b4b16f2f5ed9c006 100644 (file)
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -44,6 +44,9 @@ static void iso_sock_kill(struct sock *sk);
 /* ----- ISO socket info ----- */
 #define iso_pi(sk) ((struct iso_pinfo *)sk)
 
+#define EIR_SERVICE_DATA_LENGTH 4
+#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+
 struct iso_pinfo {
        struct bt_sock          bt;
        bdaddr_t                src;
@@ -57,7 +60,7 @@ struct iso_pinfo {
        __u32                   flags;
        struct bt_iso_qos       qos;
        __u8                    base_len;
-       __u8                    base[HCI_MAX_PER_AD_LENGTH];
+       __u8                    base[BASE_MAX_LENGTH];
        struct iso_conn         *conn;
 };