Bluetooth: Fix validating IO capability values in mgmt commands

The valid range of IO capabilities for the Set IO Capability and Pair Device mgmt commands is 0-4 (4 being the KeyboarDisplay capability for SMP). We should return an invalid parameters error if user space gives us a value outside of this range. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

Bluetooth: Fix validating IO capability values in mgmt commands
The valid range of IO capabilities for the Set IO Capability and Pair Device mgmt commands is 0-4 (4 being the KeyboarDisplay capability for SMP). We should return an invalid parameters error if user space gives us a value outside of this range. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
4ec86d4c · Johan Hedberg · Marcel Holtmann · 8ba8b4c0 · 4ec86d4c
Commit 4ec86d4c authored Jun 17, 2014 by Johan Hedberg Committed by Marcel Holtmann Jul 03, 2014
Show whitespace changes
Inline Side-by-side

Showing with 9 additions and 0 deletions

net/bluetooth/mgmt.c net/bluetooth/mgmt.c +9 -0

No files found.
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -2766,6 +2766,10 @@ static int set_io_capability(struct sock *sk, struct hci_dev *hdev, void *data,
 	BT_DBG("");
+	if (cp->io_capability > SMP_IO_KEYBOARD_DISPLAY)
+		return cmd_complete(sk, hdev->id, MGMT_OP_SET_IO_CAPABILITY,
+				    MGMT_STATUS_INVALID_PARAMS, NULL, 0);
 	hci_dev_lock(hdev);
 	hdev->io_capability = cp->io_capability;
@@ -2878,6 +2882,11 @@ static int pair_device(struct sock *sk, struct hci_dev *hdev, void *data,
 				    MGMT_STATUS_INVALID_PARAMS,
 				    &rp, sizeof(rp));
+	if (cp->io_cap > SMP_IO_KEYBOARD_DISPLAY)
+		return cmd_complete(sk, hdev->id, MGMT_OP_PAIR_DEVICE,
+				    MGMT_STATUS_INVALID_PARAMS,
+				    &rp, sizeof(rp));
 	hci_dev_lock(hdev);
 	if (!hdev_is_powered(hdev)) {