From 1a82ad4108b3d30334dcad4478c4a8e11598d9d7 Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@intel.com>
Date: Wed, 9 Oct 2013 15:30:38 +0200
Subject: [PATCH] monitor: Add missing EIR field length checks

---
 monitor/packet.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/monitor/packet.c b/monitor/packet.c
index 3f83aea73..fae61611f 100644
--- a/monitor/packet.c
+++ b/monitor/packet.c
@@ -2331,6 +2331,8 @@ static void print_eir(const uint8_t *eir, uint8_t eir_len, bool le)
 			break;
 
 		case BT_EIR_TX_POWER:
+			if (data_len < 1)
+				break;
 			print_field("TX power: %d dBm", (int8_t) *data);
 			break;
 
@@ -2341,10 +2343,14 @@ static void print_eir(const uint8_t *eir, uint8_t eir_len, bool le)
 			break;
 
 		case BT_EIR_SSP_HASH_P192:
+			if (data_len < 16)
+				break;
 			print_hash("P-192", data);
 			break;
 
 		case BT_EIR_SSP_RANDOMIZER_P192:
+			if (data_len < 16)
+				break;
 			print_randomizer("P-192", data);
 			break;
 
@@ -2417,10 +2423,14 @@ static void print_eir(const uint8_t *eir, uint8_t eir_len, bool le)
 			break;
 
 		case BT_EIR_SSP_HASH_P256:
+			if (data_len < 16)
+				break;
 			print_hash("P-256", data);
 			break;
 
 		case BT_EIR_SSP_RANDOMIZER_P256:
+			if (data_len < 16)
+				break;
 			print_randomizer("P-256", data);
 			break;
 
-- 
2.47.3