* [PATCH] Bluetooth: L2CAP: validate connectionless PSM length
@ 2026-06-08 23:57 Samuel Moelius
2026-06-09 1:59 ` bluez.test.bot
2026-06-10 15:40 ` [PATCH] " patchwork-bot+bluetooth
0 siblings, 2 replies; 4+ messages in thread
From: Samuel Moelius @ 2026-06-08 23:57 UTC (permalink / raw)
To: Marcel Holtmann
Cc: Samuel Moelius, Luiz Augusto von Dentz,
open list:BLUETOOTH SUBSYSTEM, open list
Connectionless L2CAP frames carry a two-byte PSM at the start of the
payload. l2cap_recv_frame() currently reads that PSM unconditionally
after validating only the outer L2CAP length.
A malformed connectionless frame with a zero- or one-byte payload can
therefore make the parser read beyond the advertised skb payload and use
tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer
injected a one-byte connectionless payload and reached the unchecked
read.
Reject connectionless frames that cannot contain the PSM before reading
or pulling it. This preserves all valid connectionless frames while
dropping only structurally incomplete packets.
Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
net/bluetooth/l2cap_core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c4ccfbda9d78..a9353fa91588 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7026,6 +7026,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
break;
case L2CAP_CID_CONN_LESS:
+ if (skb->len < L2CAP_PSMLEN_SIZE) {
+ kfree_skb(skb);
+ break;
+ }
+
psm = get_unaligned((__le16 *) skb->data);
skb_pull(skb, L2CAP_PSMLEN_SIZE);
l2cap_conless_channel(conn, psm, skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread* RE: Bluetooth: L2CAP: validate connectionless PSM length
2026-06-08 23:57 [PATCH] Bluetooth: L2CAP: validate connectionless PSM length Samuel Moelius
@ 2026-06-09 1:59 ` bluez.test.bot
2026-06-09 2:50 ` Victor Yeo
2026-06-10 15:40 ` [PATCH] " patchwork-bot+bluetooth
1 sibling, 1 reply; 4+ messages in thread
From: bluez.test.bot @ 2026-06-09 1:59 UTC (permalink / raw)
To: linux-bluetooth, sam.moelius
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108158
---Test result---
Test Summary:
CheckPatch PASS 0.60 seconds
VerifyFixes PASS 0.09 seconds
VerifySignedoff PASS 0.09 seconds
GitLint PASS 0.25 seconds
SubjectPrefix PASS 0.11 seconds
BuildKernel PASS 27.18 seconds
CheckAllWarning PASS 29.26 seconds
CheckSparse PASS 27.84 seconds
BuildKernel32 PASS 26.17 seconds
TestRunnerSetup PASS 578.06 seconds
TestRunner_l2cap-tester PASS 60.04 seconds
IncrementalBuild PASS 25.60 seconds
https://github.com/bluez/bluetooth-next/pull/294
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: L2CAP: validate connectionless PSM length
2026-06-08 23:57 [PATCH] Bluetooth: L2CAP: validate connectionless PSM length Samuel Moelius
2026-06-09 1:59 ` bluez.test.bot
@ 2026-06-10 15:40 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-10 15:40 UTC (permalink / raw)
To: Samuel Moelius; +Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Mon, 8 Jun 2026 23:57:05 +0000 you wrote:
> Connectionless L2CAP frames carry a two-byte PSM at the start of the
> payload. l2cap_recv_frame() currently reads that PSM unconditionally
> after validating only the outer L2CAP length.
>
> A malformed connectionless frame with a zero- or one-byte payload can
> therefore make the parser read beyond the advertised skb payload and use
> tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer
> injected a one-byte connectionless payload and reached the unchecked
> read.
>
> [...]
Here is the summary with links:
- Bluetooth: L2CAP: validate connectionless PSM length
https://git.kernel.org/bluetooth/bluetooth-next/c/801f756504d1
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-10 15:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 23:57 [PATCH] Bluetooth: L2CAP: validate connectionless PSM length Samuel Moelius
2026-06-09 1:59 ` bluez.test.bot
2026-06-09 2:50 ` Victor Yeo
2026-06-10 15:40 ` [PATCH] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox