torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-03-21 23:16:50 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
linux/net/bluetooth
History
Lukas Johannes Möller dd815e6e39 Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access 
l2cap_information_rsp() checks that cmd_len covers the fixed
l2cap_info_rsp header (type + result, 4 bytes) but then reads
rsp->data without verifying that the payload is present:

 - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads
   4 bytes past the header (needs cmd_len >= 8).

 - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header
   (needs cmd_len >= 5).

A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an
out-of-bounds read of adjacent skb data.

Guard each data access with the required payload length check.  If the
payload is too short, skip the read and let the state machine complete
with safe defaults (feat_mask and remote_fixed_chan remain zero from
kzalloc), so the info timer cleanup and l2cap_conn_start() still run
and the connection is not stalled.

Fixes: 4e8402a3f8 ("[Bluetooth] Retrieve L2CAP features mask on connection setup")
Cc: stable@vger.kernel.org
Signed-off-by: Lukas Johannes Möller <research@johannes-moeller.dev>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-03-12 15:29:07 -04:00
..
bnep
Bluetooth: bnep: fix wild-memory-access in proto_unregister
2024-10-16 16:10:03 -04:00
cmtp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
hidp
Bluetooth: HIDP: Fix possible UAF
2026-03-12 15:27:46 -04:00
rfcomm
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
6lowpan.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
af_bluetooth.c
Bluetooth: ISO: add socket option to report packet seqnum via CMSG
2025-07-23 10:31:19 -04:00
aosp.c
Bluetooth: aosp: Fix typo in comment
2025-07-23 10:30:18 -04:00
aosp.h
Bluetooth: aosp: Support AOSP Bluetooth Quality Report
2021-11-02 19:37:52 +01:00
coredump.c
Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
2025-07-23 10:33:57 -04:00
ecdh_helper.c
Bluetooth: Use crypto_wait_req
2023-02-13 18:34:48 +08:00
ecdh_helper.h
Fix misc new gcc warnings
2021-04-27 17:05:53 -07:00
eir.c
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
2025-06-11 16:29:22 -04:00
eir.h
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
2025-06-11 16:29:22 -04:00
hci_codec.c
Bluetooth: Fix support for Read Local Supported Codecs V2
2022-12-02 13:09:31 -08:00
hci_codec.h
Bluetooth: Add support for Read Local Supported Codecs V2
2021-09-07 14:09:18 -07:00
hci_conn.c
Bluetooth: ISO: Fix defer tests being unstable
2026-03-12 15:26:48 -04:00
hci_core.c
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
hci_debugfs.c
Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap
2025-07-16 15:37:53 -04:00
hci_debugfs.h
Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c
2021-09-22 16:17:13 +02:00
hci_drv.c
Bluetooth: Introduce HCI Driver protocol
2025-05-21 10:28:07 -04:00
hci_event.c
Bluetooth: Fix using PHYs bitfields as PHY value
2026-01-29 13:27:47 -05:00
hci_sock.c
Bluetooth: purge error queues in socket destructors
2026-02-23 15:30:16 -05:00
hci_sync.c
Bluetooth: hci_sync: Fix hci_le_create_conn_sync
2026-03-12 15:27:05 -04:00
hci_sysfs.c
Bluetooth: Allow reset via sysfs
2025-01-15 10:37:07 -05:00
iso.c
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
Kconfig
Bluetooth: Remove BT_HS
2024-03-06 17:22:39 -05:00
l2cap_core.c
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access
2026-03-12 15:29:07 -04:00
l2cap_sock.c
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
leds.c
Bluetooth: Use led_set_brightness() in LED trigger activate() callback
2024-09-10 13:06:11 -04:00
leds.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
lib.c
Bluetooth: Fix typos in comments
2025-07-23 10:30:48 -04:00
Makefile
Bluetooth: Introduce HCI Driver protocol
2025-05-21 10:28:07 -04:00
mgmt_config.c
Bluetooth: mgmt: Add idle_timeout to configurable system parameters
2026-01-29 13:24:22 -05:00
mgmt_config.h
Bluetooth: mgmt: Add commands for runtime configuration
2020-06-18 13:11:03 +03:00
mgmt_util.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
mgmt_util.h
Bluetooth: MGMT: Fix possible UAFs
2025-09-22 10:30:00 -04:00
mgmt.c
Bluetooth: MGMT: Fix list corruption and UAF in command complete handlers
2026-03-12 15:27:25 -04:00
msft.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
msft.h
Bluetooth: msft: fix slab-use-after-free in msft_do_close()
2024-05-03 13:05:28 -04:00
sco.c
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
selftest.c
crypto: ecdh - move curve_id of ECDH from the key to algorithm name
2021-03-13 00:04:03 +11:00
selftest.h
smp.c
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
2026-03-12 15:26:30 -04:00
smp.h
Bluetooth: SMP: If an unallowed command is received consider it a failure
2025-07-16 15:33:30 -04:00