bluetooth: Validate socket address length in sco_sock_bind().mm6.0

Change-Id: I890640975f1af64f71947b6a1820249e08f6375b Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-12-15 15:39:08 -0500
committer: Drgravy <drg113001@gmail.com> 2015-12-16 18:01:27 -0600
commit: 6efb14505b0de11718f97448e088853b4beafc83 (patch)
tree: 74f3d7cbf37cbfd6bf07314e7c0ef3bb6ef31844
parent: 6b6b9148ee993af23104738056ba16a88554dbf5 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 3170190f83c..d214aa4a876 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -499,6 +499,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
+	if (alen < sizeof(struct sockaddr_sco))
+		return -EINVAL;
+
 	memset(&sa, 0, sizeof(sa));
 	len = min_t(unsigned int, sizeof(sa), alen);
 	memcpy(&sa, addr, len);
author	David S. Miller <davem@davemloft.net>	2015-12-15 15:39:08 -0500
committer	Drgravy <drg113001@gmail.com>	2015-12-16 18:01:27 -0600
commit	6efb14505b0de11718f97448e088853b4beafc83 (patch)
tree	74f3d7cbf37cbfd6bf07314e7c0ef3bb6ef31844
parent	6b6b9148ee993af23104738056ba16a88554dbf5 (diff)