[PATCH 1/2] Bluetooth: Fix setting correct flags in AD

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH 1/2] Bluetooth: Fix setting correct flags in AD
@ 2016-03-11  7:56 Johan Hedberg
  2016-03-11  7:56 ` [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising Johan Hedberg
  2016-03-11 15:31 ` [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Marcel Holtmann
  0 siblings, 2 replies; 5+ messages in thread
From: Johan Hedberg @ 2016-03-11  7:56 UTC (permalink / raw)
  To: linux-bluetooth

From: Johan Hedberg <johan.hedberg@intel.com>

A recent change added MGMT_ADV_FLAG_DISCOV to the flags returned by
get_adv_instance_flags(), however failed to take into account limited
discoverable mode. This patch fixes the issue by setting the correct
discoverability flag in the AD data.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/hci_request.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_request.c b/net/bluetooth/hci_request.c
index 95a545ca9dbc..6e125d76df0d 100644
--- a/net/bluetooth/hci_request.c
+++ b/net/bluetooth/hci_request.c
@@ -872,7 +872,9 @@ static u32 get_adv_instance_flags(struct hci_dev *hdev, u8 instance)
 		if (hci_dev_test_flag(hdev, HCI_ADVERTISING_CONNECTABLE))
 			flags |= MGMT_ADV_FLAG_CONNECTABLE;
 
-		if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
+		if (hci_dev_test_flag(hdev, HCI_LIMITED_DISCOVERABLE))
+			flags |= MGMT_ADV_FLAG_LIMITED_DISCOV;
+		else if (hci_dev_test_flag(hdev, HCI_DISCOVERABLE))
 			flags |= MGMT_ADV_FLAG_DISCOV;
 
 		return flags;
-- 
2.5.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising
  2016-03-11  7:56 [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Johan Hedberg
@ 2016-03-11  7:56 ` Johan Hedberg
  2016-03-11 11:00   ` Johan Hedberg
  2016-03-11 15:30   ` Marcel Holtmann
  2016-03-11 15:31 ` [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Marcel Holtmann
  1 sibling, 2 replies; 5+ messages in thread
From: Johan Hedberg @ 2016-03-11  7:56 UTC (permalink / raw)
  To: linux-bluetooth

From: Johan Hedberg <johan.hedberg@intel.com>

The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/mgmt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index c856fb65812c..9e4b931588cf 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5995,6 +5995,10 @@ static int add_advertising(struct sock *sk, struct hci_dev *hdev,
 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
 				       MGMT_STATUS_INVALID_PARAMS);
 
+	if (data_len != sizeof(*cp) + cp->adv_data_len + cp->scan_rsp_len)
+		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_ADVERTISING,
+				       MGMT_STATUS_INVALID_PARAMS);
+
 	flags = __le32_to_cpu(cp->flags);
 	timeout = __le16_to_cpu(cp->timeout);
 	duration = __le16_to_cpu(cp->duration);
-- 
2.5.0


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising
  2016-03-11  7:56 ` [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising Johan Hedberg
@ 2016-03-11 11:00   ` Johan Hedberg
  2016-03-11 15:30   ` Marcel Holtmann
  1 sibling, 0 replies; 5+ messages in thread
From: Johan Hedberg @ 2016-03-11 11:00 UTC (permalink / raw)
  To: linux-bluetooth

Hi,

On Fri, Mar 11, 2016, Johan Hedberg wrote:
> The Add Advertising command handler does the appropriate checks for
> the AD and Scan Response data, however fails to take into account the
> general length of the mgmt command itself, which could lead to
> potential buffer overflows. This patch adds the necessary check that
> the mgmt command length is consistent with the given ad and scan_rsp
> lengths.
> 
> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
> ---
>  net/bluetooth/mgmt.c | 4 ++++
>  1 file changed, 4 insertions(+)

For the record, this one probably deserves a Cc: stable tag. It should
cleanly apply to 4.5 and with a little bit of fixing to 4.4 as well
(which might be more important as that's a long term support release).

Johan

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising
  2016-03-11  7:56 ` [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising Johan Hedberg
  2016-03-11 11:00   ` Johan Hedberg
@ 2016-03-11 15:30   ` Marcel Holtmann
  1 sibling, 0 replies; 5+ messages in thread
From: Marcel Holtmann @ 2016-03-11 15:30 UTC (permalink / raw)
  To: Johan Hedberg; +Cc: linux-bluetooth

Hi Johan,

> The Add Advertising command handler does the appropriate checks for
> the AD and Scan Response data, however fails to take into account the
> general length of the mgmt command itself, which could lead to
> potential buffer overflows. This patch adds the necessary check that
> the mgmt command length is consistent with the given ad and scan_rsp
> lengths.
> 
> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
> ---
> net/bluetooth/mgmt.c | 4 ++++
> 1 file changed, 4 insertions(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] Bluetooth: Fix setting correct flags in AD
  2016-03-11  7:56 [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Johan Hedberg
  2016-03-11  7:56 ` [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising Johan Hedberg
@ 2016-03-11 15:31 ` Marcel Holtmann
  1 sibling, 0 replies; 5+ messages in thread
From: Marcel Holtmann @ 2016-03-11 15:31 UTC (permalink / raw)
  To: Johan Hedberg; +Cc: linux-bluetooth

Hi Johan,

> A recent change added MGMT_ADV_FLAG_DISCOV to the flags returned by
> get_adv_instance_flags(), however failed to take into account limited
> discoverable mode. This patch fixes the issue by setting the correct
> discoverability flag in the AD data.
> 
> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
> ---
> net/bluetooth/hci_request.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2016-03-11 15:31 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-11  7:56 [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Johan Hedberg
2016-03-11  7:56 ` [PATCH 2/2] Bluetooth: Fix potential buffer overflow with Add Advertising Johan Hedberg
2016-03-11 11:00   ` Johan Hedberg
2016-03-11 15:30   ` Marcel Holtmann
2016-03-11 15:31 ` [PATCH 1/2] Bluetooth: Fix setting correct flags in AD Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox