bluetooth: Validate socket address length in sco_sock_bind().

Change-Id: Id051e0c1a5d89ea90e9b058175c37c952cad70bc Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-12-15 15:39:08 -0500
committer: Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de> 2016-03-18 01:51:05 +0100
commit: 65e2a5e01a1e8db7ec19dacd9aef6cac3b596552 (patch)
tree: 66cb732a1626683c2de7139b4d1361e0855c40e3 /net
parent: 7ffbc9118a4b062fdc384e3bccaca9eb55ba7f10 (diff)
download: kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.zip
kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.tar.gz
kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index ac4631d..21aded9 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -476,6 +476,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
+	if (alen < sizeof(struct sockaddr_sco))
+		return -EINVAL;
+
 	memset(&sa, 0, sizeof(sa));
 	len = min_t(unsigned int, sizeof(sa), alen);
 	memcpy(&sa, addr, len);
author	David S. Miller <davem@davemloft.net>	2015-12-15 15:39:08 -0500
committer	Wolfgang Wiedmeyer <wolfgit@wiedmeyer.de>	2016-03-18 01:51:05 +0100
commit	65e2a5e01a1e8db7ec19dacd9aef6cac3b596552 (patch)
tree	66cb732a1626683c2de7139b4d1361e0855c40e3 /net
parent	7ffbc9118a4b062fdc384e3bccaca9eb55ba7f10 (diff)
download	kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.zip kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.tar.gz kernel_samsung_smdk4412-65e2a5e01a1e8db7ec19dacd9aef6cac3b596552.tar.bz2