From b4c1daad20ed8cd9895cbd66c85720f0bdcc142e Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@intel.com>
Date: Thu, 27 Oct 2011 16:27:34 +0200
Subject: [PATCH] Add missing response length checks to btmgmt

---
 mgmt/main.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/mgmt/main.c b/mgmt/main.c
index 37e0bddbc..6090eed50 100644
--- a/mgmt/main.c
+++ b/mgmt/main.c
@@ -431,6 +431,11 @@ static void info_rsp(int mgmt_sk, uint16_t op, uint16_t id, uint8_t status,
 		exit(EXIT_FAILURE);
 	}
 
+	if (len < sizeof(*rp)) {
+		fprintf(stderr, "Too small info reply (%u bytes)\n", len);
+		exit(EXIT_FAILURE);
+	}
+
 	ba2str(&rp->bdaddr, addr);
 	printf("hci%u:\ttype %u addr %s\n", id, rp->type, addr);
 	printf("\tclass 0x%02x%02x%02x\n",
@@ -517,6 +522,12 @@ static void power_rsp(int mgmt_sk, uint16_t op, uint16_t id, uint8_t status,
 		exit(EXIT_FAILURE);
 	}
 
+	if (len < sizeof(*rp)) {
+		fprintf(stderr, "Too small set_powered response (%u bytes)\n",
+									len);
+		exit(EXIT_FAILURE);
+	}
+
 	printf("hci%u powered %s\n", id, rp->val ? "on" : "off");
 
 	exit(EXIT_SUCCESS);
-- 
2.47.3