As I explained in my email, the original code is buggy if
num_reports > 1 (probably uncommon), but your code is buggy for
num_reports >= 1 (everything).
regards,
dan carpenter
On Thu, Apr 4, 2019 at 1:35 AM Dan Carpenter wrote:
>
> On Wed, Apr 03, 2019 at 04:08:34PM -0700, Cong Wang wrote:
> > static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff
> > *skb)
> > {
> > - u8 num_reports = skb->data[0];
> > - void *ptr = &skb->data[1];
> > +
On Wed, Apr 03, 2019 at 04:08:34PM -0700, Cong Wang wrote:
> static void hci_le_ext_adv_report_evt(struct hci_dev *hdev, struct sk_buff
> *skb)
> {
> - u8 num_reports = skb->data[0];
> - void *ptr = &skb->data[1];
> + unsigned int len;
> + u8 num_reports;
> +
> + if (unlikely
Similarly, we need to check skb->data boundary for
HCI_EV_LE_META event too.
Note, hci_le_adv_report_evt() and hci_le_ext_adv_report_evt()
are slightly complicated, as they read the length of the field
from the packet as well.
Cc: Marcel Holtmann
Cc: Johan Hedberg
Cc: Dan Carpenter
Reviewed-by
Similarly, we need to check skb->data boundary for
HCI_EV_LE_META event too.
Note, hci_le_adv_report_evt() and hci_le_ext_adv_report_evt()
are slightly complicated, as they read the length of the field
from the packet too.
Cc: Marcel Holtmann
Cc: Johan Hedberg
Signed-off-by: Cong Wang
---
net
