@@ -515,6 +515,7 @@ int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *ver
*/
while (skb->len) {
struct intel_tlv *tlv;
+ int len;
tlv = (struct intel_tlv *)skb->data;
switch (tlv->type) {
@@ -580,7 +581,8 @@ int btintel_read_version_tlv(struct hci_dev *hdev, struct intel_version_tlv *ver
version->sbe_type = tlv->val[0];
break;
case INTEL_TLV_OTP_BDADDR:
- memcpy(&version->otp_bd_addr, tlv->val, tlv->len);
+ len = min_t(int, tlv->len, sizeof(version->otp_bd_addr));
+ memcpy(&version->otp_bd_addr, tlv->val, len);
break;
default:
/* Ignore rest of information */
Smatch says that "tlv->len" comes from skb->data and so it's untrusted. It can be 0-255 which is more than the size of "version->otp_bd_addr" which is 6 bytes so the memcpy() could lead to memory corruption. drivers/bluetooth/btintel.c:583 btintel_read_version_tlv() error: '__memcpy()' '&version->otp_bd_addr' too small (6 vs 255) Fix this by clamping the length to sizeof(version->otp_bd_addr). Fixes: 57375beef71a ("Bluetooth: btintel: Add infrastructure to read controller information") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- drivers/bluetooth/btintel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)