Skip to content
This repository was archived by the owner on Oct 31, 2024. It is now read-only.

Commit 6a6baa1

Browse files
Vudentzgregkh
Vudentz
authored and
gregkh
committed
Bluetooth: ISO: Fix not validating setsockopt user input
[ Upstream commit 9e8742c ] Check user input length before copying data. Fixes: ccf74f2 ("Bluetooth: Add BTPROTO_ISO socket type") Fixes: 0731c5a ("Bluetooth: ISO: Add support for BT_PKT_STATUS") Fixes: f764a6c ("Bluetooth: ISO: Add broadcast support") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
1 parent dea46e2 commit 6a6baa1

File tree

1 file changed

+12
-24
lines changed

1 file changed

+12
-24
lines changed

net/bluetooth/iso.c

+12-24
Original file line numberDiff line numberDiff line change
@@ -1349,7 +1349,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
13491349
sockptr_t optval, unsigned int optlen)
13501350
{
13511351
struct sock *sk = sock->sk;
1352-
int len, err = 0;
1352+
int err = 0;
13531353
struct bt_iso_qos qos = default_qos;
13541354
u32 opt;
13551355

@@ -1364,10 +1364,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
13641364
break;
13651365
}
13661366

1367-
if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1368-
err = -EFAULT;
1367+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1368+
if (err)
13691369
break;
1370-
}
13711370

13721371
if (opt)
13731372
set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
@@ -1376,10 +1375,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
13761375
break;
13771376

13781377
case BT_PKT_STATUS:
1379-
if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
1380-
err = -EFAULT;
1378+
err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
1379+
if (err)
13811380
break;
1382-
}
13831381

13841382
if (opt)
13851383
set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
@@ -1394,17 +1392,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
13941392
break;
13951393
}
13961394

1397-
len = min_t(unsigned int, sizeof(qos), optlen);
1398-
1399-
if (copy_from_sockptr(&qos, optval, len)) {
1400-
err = -EFAULT;
1401-
break;
1402-
}
1403-
1404-
if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) {
1405-
err = -EINVAL;
1395+
err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
1396+
if (err)
14061397
break;
1407-
}
14081398

14091399
iso_pi(sk)->qos = qos;
14101400
iso_pi(sk)->qos_user_set = true;
@@ -1419,18 +1409,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
14191409
}
14201410

14211411
if (optlen > sizeof(iso_pi(sk)->base)) {
1422-
err = -EOVERFLOW;
1412+
err = -EINVAL;
14231413
break;
14241414
}
14251415

1426-
len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen);
1427-
1428-
if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) {
1429-
err = -EFAULT;
1416+
err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
1417+
optlen);
1418+
if (err)
14301419
break;
1431-
}
14321420

1433-
iso_pi(sk)->base_len = len;
1421+
iso_pi(sk)->base_len = optlen;
14341422

14351423
break;
14361424

0 commit comments

Comments
 (0)