Bluetooth: Fix checking for valid device class values

The two lowest bits of the minor device class value are reserved and
should be zero, and the three highest bits of the major device class
likewise. The management code should therefore test for this and return
a proper "invalid params" error if the condition is not met.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 1dd41d48eb66c12e232f13ce6beafa43119dc704..f3fec4264dcff2e2f3e71a894645cbb0cd973b04 100644 (file)
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1430,6 +1430,12 @@ static int set_dev_class(struct sock *sk, struct hci_dev *hdev, void *data,
                goto unlock;
        }
 
+       if ((cp->minor & 0x03) != 0 || (cp->major & 0xe0) != 0) {
+               err = cmd_status(sk, hdev->id, MGMT_OP_SET_DEV_CLASS,
+                                MGMT_STATUS_INVALID_PARAMS);
+               goto unlock;
+       }
+
        hdev->major_class = cp->major;
        hdev->minor_class = cp->minor;