From: Marcel Holtmann Date: Thu, 8 Oct 2015 01:14:28 +0000 (+0200) Subject: Bluetooth: Enforce packet types in hci_recv_frame driver function X-Git-Tag: firefly_0821_release~176^2~818^2~173^2~8 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=fe806dceded462f7930f8ac4a41c5d19819e70b7;p=firefly-linux-kernel-4.4.55.git Bluetooth: Enforce packet types in hci_recv_frame driver function When calling the hci_recv_frame driver function check for valid packet types that the core should process. This should catch issues with drivers trying to feed vendor packet types through this interface. Signed-off-by: Marcel Holtmann Signed-off-by: Johan Hedberg --- diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index 43a1f2d8ffd3..b2095ca8472e 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -3538,6 +3538,13 @@ int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb) return -ENXIO; } + if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT && + bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT && + bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) { + kfree_skb(skb); + return -EINVAL; + } + /* Incoming skb */ bt_cb(skb)->incoming = 1;