* [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it
@ 2026-04-17 7:34 Pengpeng Hou
2026-04-17 8:36 ` bluez.test.bot
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Pengpeng Hou @ 2026-04-17 7:34 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: Kees Cook, Jakub Kicinski, Bastien Nocera, Thomas Gleixner,
Ingo Molnar, linux-bluetooth, linux-kernel, Pengpeng Hou, stable
rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.
After the header has been stripped, the code does not re-check that the
frame still has at least one payload byte before dereferencing skb->data.
A malformed short frame can therefore trigger an out-of-bounds read.
Drop the frame if the optional credit byte is not present.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
net/bluetooth/rfcomm/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..964a78d473cc 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
}
if (pf && d->cfc) {
+ if (!skb->len)
+ goto drop;
+
u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
d->tx_credits += credits;
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: Bluetooth: RFCOMM: require a credit byte before consuming it
2026-04-17 7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
@ 2026-04-17 8:36 ` bluez.test.bot
2026-04-22 15:15 ` [PATCH] " Luiz Augusto von Dentz
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
2 siblings, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-04-17 8:36 UTC (permalink / raw)
To: linux-bluetooth, pengpeng
[-- Attachment #1: Type: text/plain, Size: 934 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1082376
---Test result---
Test Summary:
CheckPatch PASS 0.78 seconds
GitLint PASS 0.34 seconds
SubjectPrefix PASS 0.13 seconds
BuildKernel PASS 24.95 seconds
CheckAllWarning PASS 27.68 seconds
CheckSparse PASS 26.20 seconds
BuildKernel32 PASS 24.60 seconds
TestRunnerSetup PASS 517.52 seconds
TestRunner_rfcomm-tester PASS 9.45 seconds
IncrementalBuild PASS 23.60 seconds
https://github.com/bluez/bluetooth-next/pull/97
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it
2026-04-17 7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
2026-04-17 8:36 ` bluez.test.bot
@ 2026-04-22 15:15 ` Luiz Augusto von Dentz
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
2 siblings, 0 replies; 6+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-22 15:15 UTC (permalink / raw)
To: Pengpeng Hou
Cc: Marcel Holtmann, Kees Cook, Jakub Kicinski, Bastien Nocera,
Thomas Gleixner, Ingo Molnar, linux-bluetooth, linux-kernel,
stable
Hi Pengpeng,
On Fri, Apr 17, 2026 at 3:35 AM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> rfcomm_recv_data() treats the first payload byte as a credit field when
> the UIH frame carries PF and credit-based flow control is enabled.
>
> After the header has been stripped, the code does not re-check that the
> frame still has at least one payload byte before dereferencing skb->data.
> A malformed short frame can therefore trigger an out-of-bounds read.
>
> Drop the frame if the optional credit byte is not present.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
> net/bluetooth/rfcomm/core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index 611a9a94151e..964a78d473cc 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
> }
>
> if (pf && d->cfc) {
> + if (!skb->len)
> + goto drop;
We can probably use skb_pull_data below, which checks skb->len.
> u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
>
> d->tx_credits += credits;
> --
> 2.50.1 (Apple Git-155)
>
--
Luiz Augusto von Dentz
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
2026-04-17 7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
2026-04-17 8:36 ` bluez.test.bot
2026-04-22 15:15 ` [PATCH] " Luiz Augusto von Dentz
@ 2026-04-23 15:31 ` Pengpeng Hou
2026-04-23 23:29 ` [v2] " bluez.test.bot
2026-04-24 18:50 ` [PATCH v2] " patchwork-bot+bluetooth
2 siblings, 2 replies; 6+ messages in thread
From: Pengpeng Hou @ 2026-04-23 15:31 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: Kees Cook, Jakub Kicinski, Ingo Molnar, Bastien Nocera,
Thomas Gleixner, linux-bluetooth, linux-kernel, stable, pengpeng
rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.
After the header has been stripped, the PF/CFC path consumes that byte
with a direct skb->data dereference followed by skb_pull(). A malformed
short frame can reach this path without a byte available.
Use skb_pull_data() so the length check and pull happen together before
the returned credit byte is consumed.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
Changes since v1:
- use skb_pull_data() as suggested by Luiz Augusto von Dentz
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..d11bd5337d57 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,9 +1715,12 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
}
if (pf && d->cfc) {
- u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
+ u8 *credits = skb_pull_data(skb, 1);
- d->tx_credits += credits;
+ if (!credits)
+ goto drop;
+
+ d->tx_credits += *credits;
if (d->tx_credits)
clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
@ 2026-04-23 23:29 ` bluez.test.bot
2026-04-24 18:50 ` [PATCH v2] " patchwork-bot+bluetooth
1 sibling, 0 replies; 6+ messages in thread
From: bluez.test.bot @ 2026-04-23 23:29 UTC (permalink / raw)
To: linux-bluetooth, pengpeng
[-- Attachment #1: Type: text/plain, Size: 935 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1084930
---Test result---
Test Summary:
CheckPatch PASS 0.52 seconds
GitLint PASS 0.23 seconds
SubjectPrefix PASS 0.09 seconds
BuildKernel PASS 21.35 seconds
CheckAllWarning PASS 23.64 seconds
CheckSparse PASS 23.81 seconds
BuildKernel32 PASS 20.22 seconds
TestRunnerSetup PASS 415.26 seconds
TestRunner_rfcomm-tester PASS 7.45 seconds
IncrementalBuild PASS 20.39 seconds
https://github.com/bluez/bluetooth-next/pull/118
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
2026-04-23 23:29 ` [v2] " bluez.test.bot
@ 2026-04-24 18:50 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 6+ messages in thread
From: patchwork-bot+bluetooth @ 2026-04-24 18:50 UTC (permalink / raw)
To: Pengpeng Hou
Cc: marcel, luiz.dentz, kees, kuba, mingo, hadess, tglx,
linux-bluetooth, linux-kernel, stable
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 23 Apr 2026 23:31:00 +0800 you wrote:
> rfcomm_recv_data() treats the first payload byte as a credit field when
> the UIH frame carries PF and credit-based flow control is enabled.
>
> After the header has been stripped, the PF/CFC path consumes that byte
> with a direct skb->data dereference followed by skb_pull(). A malformed
> short frame can reach this path without a byte available.
>
> [...]
Here is the summary with links:
- [v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
https://git.kernel.org/bluetooth/bluetooth-next/c/2940edce391d
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-24 18:50 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17 7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
2026-04-17 8:36 ` bluez.test.bot
2026-04-22 15:15 ` [PATCH] " Luiz Augusto von Dentz
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
2026-04-23 23:29 ` [v2] " bluez.test.bot
2026-04-24 18:50 ` [PATCH v2] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox