[PATCH] Bluetooth: hci: validate codec capability element length

[PATCH] Bluetooth: hci: validate codec capability element length

[Samuel Moelius]

Read Local Codec Capabilities returns a sequence of capability elements.
Each element starts with a one-byte length followed by that many payload
bytes.

hci_read_codec_capabilities() checks that the skb contains the length
byte, but then validates only caps->len against the remaining skb
length.  A malformed controller response with one remaining byte and
caps->len set to one passes that check even though the element needs two
bytes.  The parser then records a two-byte capability and copies one
byte beyond the advertised response payload into the codec list.

Validate the full element size, including the length byte, before adding
it to the accumulated capability length.  This preserves all well-formed
capability elements and drops only truncated controller responses.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 net/bluetooth/hci_codec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/hci_codec.c b/net/bluetooth/hci_codec.c
index 3cc135bb1d30..5bc5003c387c 100644
--- a/net/bluetooth/hci_codec.c
+++ b/net/bluetooth/hci_codec.c
@@ -100,7 +100,7 @@ static void hci_read_codec_capabilities(struct hci_dev *hdev, __u8 transport,
 				caps = (void *)skb->data;
 				if (skb->len < sizeof(*caps))
 					goto error;
-				if (skb->len < caps->len)
+				if (skb->len < sizeof(caps->len) + caps->len)
 					goto error;
 				len += sizeof(caps->len) + caps->len;
 				skb_pull(skb,  sizeof(caps->len) + caps->len);
-- 
2.43.0

RE: Bluetooth: hci: validate codec capability element length

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2204 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108156

---Test result---

Test Summary:
CheckPatch                    PASS      0.61 seconds
VerifyFixes                   PASS      0.08 seconds
VerifySignedoff               PASS      0.07 seconds
GitLint                       PASS      0.21 seconds
SubjectPrefix                 PASS      0.07 seconds
BuildKernel                   PASS      26.58 seconds
CheckAllWarning               PASS      29.53 seconds
CheckSparse                   PASS      28.04 seconds
BuildKernel32                 PASS      25.93 seconds
TestRunnerSetup               PASS      577.06 seconds
TestRunner_l2cap-tester       PASS      60.65 seconds
TestRunner_iso-tester         PASS      78.61 seconds
TestRunner_bnep-tester        PASS      19.09 seconds
TestRunner_mgmt-tester        FAIL      216.08 seconds
TestRunner_rfcomm-tester      PASS      26.05 seconds
TestRunner_sco-tester         PASS      32.97 seconds
TestRunner_ioctl-tester       PASS      26.16 seconds
TestRunner_mesh-tester        FAIL      25.86 seconds
TestRunner_smp-tester         PASS      23.83 seconds
TestRunner_userchan-tester    PASS      20.28 seconds
TestRunner_6lowpan-tester     PASS      22.87 seconds
IncrementalBuild              PASS      25.00 seconds

Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.249 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.188 seconds
Mesh - Send cancel - 2                               Timed out    1.989 seconds


https://github.com/bluez/bluetooth-next/pull/293

---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: hci: validate codec capability element length

[patchwork-bot+bluetooth]

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon,  8 Jun 2026 23:56:28 +0000 you wrote:
> Read Local Codec Capabilities returns a sequence of capability elements.
> Each element starts with a one-byte length followed by that many payload
> bytes.
> 
> hci_read_codec_capabilities() checks that the skb contains the length
> byte, but then validates only caps->len against the remaining skb
> length.  A malformed controller response with one remaining byte and
> caps->len set to one passes that check even though the element needs two
> bytes.  The parser then records a two-byte capability and copies one
> byte beyond the advertised response payload into the codec list.
> 
> [...]

Here is the summary with links:
  - Bluetooth: hci: validate codec capability element length
    https://git.kernel.org/bluetooth/bluetooth-next/c/246dc2ed724b

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html