On Mon, Mar 18, 2019 at 1:45 PM Cong Wang wrote:
> @@ -3978,6 +3982,9 @@ static void hci_inquiry_result_with_rssi_evt(struct
> hci_dev *hdev,
>
> if ((skb->len - 1) / num_rsp != sizeof(struct
> inquiry_info_with_rssi)) {
> struct inquiry_info_with_rssi_and_pscan_mode *inf
hci_event_packet() blindly assumes all packets are sane, at least
for packets allocated via vhci_get_user() path this is not true.
We have to check if we access skb data out-of-bound with
pskb_may_pull() before each skb->data dereference on RX path.
Probably we need to same check for other hci_eve
