[PATCH] Bluetooth: btintel: prevent buffer overflow in btintel_read_version_tlv()

[PATCH] Bluetooth: btintel: prevent buffer overflow in btintel_read_version_tlv()

[Dan Carpenter]

Smatch says that "tlv->len" comes from skb->data and so it's untrusted.
It can be 0-255 which is more than the size of "version->otp_bd_addr"
which is 6 bytes so the memcpy() could lead to memory corruption.

drivers/bluetooth/btintel.c:583 btintel_read_version_tlv() error: '__memcpy()' '&version->otp_bd_addr' too small (6 vs 255)

Fix this by clamping the length to sizeof(version->otp_bd_addr).

Fixes: 57375beef71a ("Bluetooth: btintel: Add infrastructure to read controller information")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
 drivers/bluetooth/btintel.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/bluetooth/btintel.c b/drivers/bluetooth/btintel.c
index e44b6993cf91..654288e974b0 100644
--- a/drivers/bluetooth/btintel.c
+++ b/drivers/bluetooth/btintel.c
@@ -515,6 +515,7 @@ int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *ver
 	 */
 	while (skb->len) {
 		struct intel_tlv *tlv;
+		int len;
 
 		tlv = (struct intel_tlv *)skb->data;
 		switch (tlv->type) {
@@ -580,7 +581,8 @@ int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *ver
 			version->sbe_type = tlv->val[0];
 			break;
 		case INTEL_TLV_OTP_BDADDR:
-			memcpy(&version->otp_bd_addr, tlv->val, tlv->len);
+			len = min_t(int, tlv->len, sizeof(version->otp_bd_addr));
+			memcpy(&version->otp_bd_addr, tlv->val, len);
 			break;
 		default:
 			/* Ignore rest of information */
-- 
2.30.2