Skip to content

Commit 9e8742c

Browse files
VudentzVudentz
committed
Bluetooth: ISO: Fix not validating setsockopt user input
Check user input length before copying data. Fixes: ccf74f2 ("Bluetooth: Add BTPROTO_ISO socket type") Fixes: 0731c5a ("Bluetooth: ISO: Add support for BT_PKT_STATUS") Fixes: f764a6c ("Bluetooth: ISO: Add broadcast support") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
1 parent 4f39512 commit 9e8742c

File tree

1 file changed

+12
-24
lines changed

1 file changed

+12
-24
lines changed

net/bluetooth/iso.c

Lines changed: 12 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -1500,7 +1500,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
15001500
sockptr_t optval, unsigned int optlen)
15011501
{
15021502
struct sock *sk = sock->sk;
1503-
int len, err = 0;
1503+
int err = 0;
15041504
struct bt_iso_qos qos = default_qos;
15051505
u32 opt;
15061506

@@ -1515,10 +1515,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
15151515
break;
15161516
}
15171517

1518-
if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1519-
err = -EFAULT;
1518+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1519+
if (err)
15201520
break;
1521-
}
15221521

15231522
if (opt)
15241523
set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
@@ -1527,10 +1526,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
15271526
break;
15281527

15291528
case BT_PKT_STATUS:
1530-
if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1531-
err = -EFAULT;
1529+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1530+
if (err)
15321531
break;
1533-
}
15341532

15351533
if (opt)
15361534
set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
@@ -1545,17 +1543,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
15451543
break;
15461544
}
15471545

1548-
len = min_t(unsigned int, sizeof(qos), optlen);
1549-
1550-
if (copy_from_sockptr(&qos, optval, len)) {
1551-
err = -EFAULT;
1552-
break;
1553-
}
1554-
1555-
if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) {
1556-
err = -EINVAL;
1546+
err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
1547+
if (err)
15571548
break;
1558-
}
15591549

15601550
iso_pi(sk)->qos = qos;
15611551
iso_pi(sk)->qos_user_set = true;
@@ -1570,18 +1560,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
15701560
}
15711561

15721562
if (optlen > sizeof(iso_pi(sk)->base)) {
1573-
err = -EOVERFLOW;
1563+
err = -EINVAL;
15741564
break;
15751565
}
15761566

1577-
len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen);
1578-
1579-
if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) {
1580-
err = -EFAULT;
1567+
err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
1568+
optlen);
1569+
if (err)
15811570
break;
1582-
}
15831571

1584-
iso_pi(sk)->base_len = len;
1572+
iso_pi(sk)->base_len = optlen;
15851573

15861574
break;
15871575

0 commit comments

Comments
 (0)