Received: by 2002:a05:6a10:a841:0:0:0:0 with SMTP id d1csp1316194pxy; Fri, 23 Apr 2021 05:31:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJytyF//Oj1oqn1UGrDA9Eg1uElYP3t9AYQ2WP3TxoUig4sl/6PXc13yvn7JxAP3cnIYBlxj X-Received: by 2002:a17:906:5487:: with SMTP id r7mr3971019ejo.550.1619181119148; Fri, 23 Apr 2021 05:31:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1619181119; cv=none; d=google.com; s=arc-20160816; b=RSG64Srgw1dnq6dXrYdZCAV33e4Wp//gr+o99KbRX4Qrk3EBBqQxLlKigkskdTnE7p tDW9vqTHlHGZhCQNRl6CULS0/NOXjYQNjJv9PNYwvB+TilZNSb2ttvVPSySFrNmVlvzG p95CSAh+py607RbeTxTUn9pkWQVfjUbN12yIzVDyWpQQc8wSb3WHzlWQ6+oWVCVc7ZS2 bZ1hN8ECX0VYfiDXHQ8cq0NB5vCPkvjbxaTn5qL+wz55aGZINE0A0wWbHCH0RrY3/6Nv tkqZcMLQDL4ohI5aX06py6ZK5Wk44vELaLuHQ8sc/sKAyBvpSpBMIcrngunVuYN6ZIxg 3YTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=1Qtlg/mvrtu5nbCu7frkaS4CuA7gDCGnjb5+H6rJXrc=; b=mXaTrTedc3qW6JuWchsuZtm7/Z/xk5VV0k5h7G9/UgRRJhtFt83g9J52Ax2ozIkWxR mAmMCjCKhOuH+KFDoSjCbf5qhHqqoaXG9BhlSGgWqv77jd5MhhbLY+O7bLks9u3YYKNl 2RhESJZFiGJM0Zcjdl9LcS7xttWb2AoKykCJ+e63EzcOKMEolEt3LD61usVNlj0OaTth RD0v2lZ6NEAzp36+Ar6C4BdNOp6qKkRQRyer9EBYLo9qCDvQf8Ue0Mw4q2pJJVw8vGnD H9jjQPqLkzUcPchTAAbcOp6T8vU4s5nxZW95jWWtaJXqv9b8SduL1UNGvT+FlZDKIkKK 7ZzA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n14si5153031eju.120.2021.04.23.05.31.35; Fri, 23 Apr 2021 05:31:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230305AbhDWM2z convert rfc822-to-8bit (ORCPT + 99 others); Fri, 23 Apr 2021 08:28:55 -0400 Received: from coyote.holtmann.net ([212.227.132.17]:36439 "EHLO mail.holtmann.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230521AbhDWM2y (ORCPT ); Fri, 23 Apr 2021 08:28:54 -0400 Received: from marcel-macbook.holtmann.net (p4fefc624.dip0.t-ipconnect.de [79.239.198.36]) by mail.holtmann.org (Postfix) with ESMTPSA id 1038FCED00; Fri, 23 Apr 2021 14:36:03 +0200 (CEST) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: [PATCH v2 03/10] Bluetooth: HCI: Use skb_pull to parse Number of Complete Packets event From: Marcel Holtmann In-Reply-To: <20210419171257.3865181-4-luiz.dentz@gmail.com> Date: Fri, 23 Apr 2021 14:28:15 +0200 Cc: linux-bluetooth@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: References: <20210419171257.3865181-1-luiz.dentz@gmail.com> <20210419171257.3865181-4-luiz.dentz@gmail.com> To: Luiz Augusto von Dentz X-Mailer: Apple Mail (2.3654.60.0.2.21) Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, > This uses skb_pull to check the Number of Complete Packets events > received have the minimum required length. > > Signed-off-by: Luiz Augusto von Dentz > --- > include/net/bluetooth/hci.h | 2 +- > net/bluetooth/hci_event.c | 20 +++++++++++--------- > 2 files changed, 12 insertions(+), 10 deletions(-) > > diff --git a/include/net/bluetooth/hci.h b/include/net/bluetooth/hci.h > index f1f505355e81..9251ae3a2ce0 100644 > --- a/include/net/bluetooth/hci.h > +++ b/include/net/bluetooth/hci.h > @@ -2021,7 +2021,7 @@ struct hci_comp_pkts_info { > } __packed; > > struct hci_ev_num_comp_pkts { > - __u8 num_hndl; > + __u8 num; > struct hci_comp_pkts_info handles[]; > } __packed; > > diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c > index cc2d68389edc..c353dfafb04c 100644 > --- a/net/bluetooth/hci_event.c > +++ b/net/bluetooth/hci_event.c > @@ -4264,23 +4264,25 @@ static void hci_role_change_evt(struct hci_dev *hdev, struct sk_buff *skb) > > static void hci_num_comp_pkts_evt(struct hci_dev *hdev, struct sk_buff *skb) > { > - struct hci_ev_num_comp_pkts *ev = (void *) skb->data; > + struct hci_ev_num_comp_pkts *ev; > int i; > > - if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { > - bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); > + ev = hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, sizeof(*ev)); > + if (!ev) > return; > - } > > - if (skb->len < sizeof(*ev) || > - skb->len < struct_size(ev, handles, ev->num_hndl)) { > - BT_DBG("%s bad parameters", hdev->name); > + if (!hci_ev_skb_pull(hdev, skb, HCI_EV_NUM_COMP_PKTS, > + flex_array_size(ev, handles, ev->num))) > + return; > + > + if (hdev->flow_ctl_mode != HCI_FLOW_CTL_MODE_PACKET_BASED) { > + bt_dev_err(hdev, "wrong event for mode %d", hdev->flow_ctl_mode); > return; > } > > - BT_DBG("%s num_hndl %d", hdev->name, ev->num_hndl); > + BT_DBG("%s num %d", hdev->name, ev->num); If you are touching BT_DBG anyway then switch to bt_dev_dbg() please. Regards Marcel