Bluetooth: Enforce packet types in hci_recv_frame driver function

When calling the hci_recv_frame driver function check for valid packet
types that the core should process. This should catch issues with
drivers trying to feed vendor packet types through this interface.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 43a1f2d8ffd31aaee9b010ad8c4d85ca9eccaa75..b2095ca8472e80dde19c5a4834f34156fea5dca2 100644 (file)
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3538,6 +3538,13 @@ int hci_recv_frame(struct hci_dev *hdev, struct sk_buff *skb)
                return -ENXIO;
        }
 
+       if (bt_cb(skb)->pkt_type != HCI_EVENT_PKT &&
+           bt_cb(skb)->pkt_type != HCI_ACLDATA_PKT &&
+           bt_cb(skb)->pkt_type != HCI_SCODATA_PKT) {
+               kfree_skb(skb);
+               return -EINVAL;
+       }
+
        /* Incoming skb */
        bt_cb(skb)->incoming = 1;