Bluetooth: refactor malicious adv data check

BugLink: https://bugs.launchpad.net/bugs/1959879
commit 899663be5e75dc0174dc8bda0b5e6826edf0b29a upstream.

Check for out-of-bound read was being performed at the end of while
num_reports loop, and would fill journal with false positives. Added
check to beginning of loop processing so that it doesn't get checked
after ptr has been advanced.

Signed-off-by: Brian Gix <brian.gix@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: syphyr <syphyr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Paolo Pisati <paolo.pisati@canonical.com>

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 20e36126bbdaec2c4ae310b6ea0a7c51cc14de83..868a22df3285002a21480ea94071b6ec94fe526a 100644 (file)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5782,6 +5782,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
                struct hci_ev_le_advertising_info *ev = ptr;
                s8 rssi;
 
+               if (ptr > (void *)skb_tail_pointer(skb) - sizeof(*ev)) {
+                       bt_dev_err(hdev, "Malicious advertising data.");
+                       break;
+               }
+
                if (ev->length <= HCI_MAX_AD_LENGTH &&
                    ev->data + ev->length <= skb_tail_pointer(skb)) {
                        rssi = ev->data[ev->length];
@@ -5793,11 +5798,6 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
                }
 
                ptr += sizeof(*ev) + ev->length + 1;
-
-               if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) {
-                       bt_dev_err(hdev, "Malicious advertising data. Stopping processing");
-                       break;
-               }
        }
 
        hci_dev_unlock(hdev);