From: Muhammad Bilal <meatuni001@gmail.com>
To: linux-bluetooth@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, marcel@holtmann.org,
luiz.dentz@gmail.com, johan.hedberg@gmail.com,
pmenzel@molgen.mpg.de, stable@vger.kernel.org,
Muhammad Bilal <meatuni001@gmail.com>
Subject: [PATCH v2] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify
Date: Mon, 18 May 2026 20:14:37 -0400 [thread overview]
Message-ID: <20260519001437.156400-1-meatuni001@gmail.com> (raw)
In-Reply-To: <20260517145417.31910-1-meatuni001@gmail.com>
smp_cmd_keypress_notify() accesses the received payload as
struct smp_cmd_keypress_notify without verifying that skb->len
contains enough data.
smp_sig_channel() removes the opcode byte before dispatching to
command handlers, so a SMP_CMD_KEYPRESS_NOTIFY packet without a
payload leaves skb->len equal to zero on entry to the handler,
causing a 1-byte out-of-bounds read from the heap.
Use skb_pull_data() to safely consume the payload; it performs
a bounds check internally and returns NULL when the packet is too
short. Add a ratelimited warning in that path to aid debugging
of malformed packets, matching the pattern used by hci_event.c.
Fixes: 1408bb6efb04 ("Bluetooth: Add dummy handler for LE SC keypress notification")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
---
net/bluetooth/smp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 98f1da4f5..1b237e623 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2930,7 +2930,15 @@ static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
struct sk_buff *skb)
{
- struct smp_cmd_keypress_notify *kp = (void *) skb->data;
+ struct smp_cmd_keypress_notify *kp;
+
+ kp = skb_pull_data(skb, sizeof(struct smp_cmd_keypress_notify));
+ if (!kp) {
+ bt_dev_warn_ratelimited(conn->hcon->hdev,
+ "Too small packet: skb->len %u < %zu",
+ skb->len, sizeof(struct smp_cmd_keypress_notify));
+ return SMP_INVALID_PARAMS;
+ }
bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
--
2.54.0
next prev parent reply other threads:[~2026-05-19 0:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-17 14:54 [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify Muhammad Bilal
2026-05-17 16:13 ` bluez.test.bot
2026-05-17 17:47 ` [PATCH] " Paul Menzel
2026-05-17 18:08 ` Muhammad Bilal
2026-05-17 18:41 ` Paul Menzel
2026-05-17 19:03 ` Muhammad Bilal
2026-05-18 20:29 ` Paul Menzel
2026-05-18 20:37 ` Luiz Augusto von Dentz
2026-05-19 0:14 ` Muhammad Bilal [this message]
2026-05-19 2:00 ` [v2] " bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260519001437.156400-1-meatuni001@gmail.com \
--to=meatuni001@gmail.com \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
--cc=pmenzel@molgen.mpg.de \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.