bluetooth: Validate socket address length in sco_sock_bind().
Change-Id: I890640975f1af64f71947b6a1820249e08f6375b
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
index 3170190..d214aa4 100644
--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -499,6 +499,9 @@
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
+ if (alen < sizeof(struct sockaddr_sco))
+ return -EINVAL;
+
memset(&sa, 0, sizeof(sa));
len = min_t(unsigned int, sizeof(sa), alen);
memcpy(&sa, addr, len);