mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-04 04:04:19 +00:00
Bluetooth: HCI: Use skb_pull_data to parse LE Metaevents
This uses skb_pull_data to check the LE Metaevents received have the minimum required length. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
parent
70a6b8de6a
commit
12cfe4176a
@ -69,6 +69,18 @@ static void *hci_cc_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
|
||||
return data;
|
||||
}
|
||||
|
||||
static void *hci_le_ev_skb_pull(struct hci_dev *hdev, struct sk_buff *skb,
|
||||
u8 ev, size_t len)
|
||||
{
|
||||
void *data;
|
||||
|
||||
data = skb_pull_data(skb, len);
|
||||
if (!data)
|
||||
bt_dev_err(hdev, "Malformed LE Event: 0x%2.2x", ev);
|
||||
|
||||
return data;
|
||||
}
|
||||
|
||||
static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
|
||||
u8 *new_status)
|
||||
{
|
||||
@ -6119,7 +6131,12 @@ static void le_conn_complete_evt(struct hci_dev *hdev, u8 status,
|
||||
|
||||
static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_conn_complete *ev = (void *) skb->data;
|
||||
struct hci_ev_le_conn_complete *ev;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_CONN_COMPLETE,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
@ -6133,7 +6150,12 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_enh_conn_complete *ev = (void *) skb->data;
|
||||
struct hci_ev_le_enh_conn_complete *ev;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_ENHANCED_CONN_COMPLETE,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
@ -6146,10 +6168,15 @@ static void hci_le_enh_conn_complete_evt(struct hci_dev *hdev,
|
||||
|
||||
static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
{
|
||||
struct hci_evt_le_ext_adv_set_term *ev = (void *) skb->data;
|
||||
struct hci_evt_le_ext_adv_set_term *ev;
|
||||
struct hci_conn *conn;
|
||||
struct adv_info *adv, *n;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_SET_TERM,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
adv = hci_find_adv_instance(hdev, ev->handle);
|
||||
@ -6211,9 +6238,14 @@ static void hci_le_ext_adv_term_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
static void hci_le_conn_update_complete_evt(struct hci_dev *hdev,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_conn_update_complete *ev = (void *) skb->data;
|
||||
struct hci_ev_le_conn_update_complete *ev;
|
||||
struct hci_conn *conn;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_CONN_UPDATE_COMPLETE,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
if (ev->status)
|
||||
@ -6636,9 +6668,14 @@ static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_remote_feat_complete *ev = (void *)skb->data;
|
||||
struct hci_ev_le_remote_feat_complete *ev;
|
||||
struct hci_conn *conn;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_EXT_ADV_REPORT,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
@ -6677,12 +6714,16 @@ static void hci_le_remote_feat_complete_evt(struct hci_dev *hdev,
|
||||
|
||||
static void hci_le_ltk_request_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_ltk_req *ev = (void *) skb->data;
|
||||
struct hci_ev_le_ltk_req *ev;
|
||||
struct hci_cp_le_ltk_reply cp;
|
||||
struct hci_cp_le_ltk_neg_reply neg;
|
||||
struct hci_conn *conn;
|
||||
struct smp_ltk *ltk;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_LTK_REQ, sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s handle 0x%4.4x", hdev->name, __le16_to_cpu(ev->handle));
|
||||
|
||||
hci_dev_lock(hdev);
|
||||
@ -6754,11 +6795,16 @@ static void send_conn_param_neg_reply(struct hci_dev *hdev, u16 handle,
|
||||
static void hci_le_remote_conn_param_req_evt(struct hci_dev *hdev,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_remote_conn_param_req *ev = (void *) skb->data;
|
||||
struct hci_ev_le_remote_conn_param_req *ev;
|
||||
struct hci_cp_le_conn_param_req_reply cp;
|
||||
struct hci_conn *hcon;
|
||||
u16 handle, min, max, latency, timeout;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_REMOTE_CONN_PARAM_REQ,
|
||||
sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
handle = le16_to_cpu(ev->handle);
|
||||
min = le16_to_cpu(ev->interval_min);
|
||||
max = le16_to_cpu(ev->interval_max);
|
||||
@ -6831,9 +6877,14 @@ static void hci_le_direct_adv_report_evt(struct hci_dev *hdev,
|
||||
|
||||
static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_phy_update_complete *ev = (void *) skb->data;
|
||||
struct hci_ev_le_phy_update_complete *ev;
|
||||
struct hci_conn *conn;
|
||||
|
||||
ev = hci_le_ev_skb_pull(hdev, skb, HCI_EV_LE_PHY_UPDATE_COMPLETE,
|
||||
sizeof(*ev));
|
||||
if (ev)
|
||||
return;
|
||||
|
||||
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
|
||||
|
||||
if (ev->status)
|
||||
@ -6854,11 +6905,13 @@ static void hci_le_phy_update_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
|
||||
static void hci_le_meta_evt(struct hci_dev *hdev, struct sk_buff *skb)
|
||||
{
|
||||
struct hci_ev_le_meta *le_ev = (void *) skb->data;
|
||||
struct hci_ev_le_meta *ev;
|
||||
|
||||
skb_pull(skb, sizeof(*le_ev));
|
||||
ev = hci_ev_skb_pull(hdev, skb, HCI_EV_LE_META, sizeof(*ev));
|
||||
if (!ev)
|
||||
return;
|
||||
|
||||
switch (le_ev->subevent) {
|
||||
switch (ev->subevent) {
|
||||
case HCI_EV_LE_CONN_COMPLETE:
|
||||
hci_le_conn_complete_evt(hdev, skb);
|
||||
break;
|
||||
|
Loading…
Reference in New Issue
Block a user