[PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace
@ 2026-06-02 20:56 Luiz Augusto von Dentz
  2026-06-02 22:09 ` [v1] " bluez.test.bot
  2026-06-11 17:58 ` [PATCH v1] " patchwork-bot+bluetooth
  0 siblings, 2 replies; 3+ messages in thread
From: Luiz Augusto von Dentz @ 2026-06-02 20:56 UTC (permalink / raw)
  To: linux-bluetooth

From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

bluetoothd has a bug with makes it send extra bytes as part of
MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the
exact the expected length, relax this so only when the expected
length is greater than the data length to cause an error since
that would result in accessing invalid memory, otherwise just
ignore the extra bytes.

Link: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u
Fixes: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---
 net/bluetooth/mgmt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index de5bd6b637b2..8e13af77d694 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -9114,8 +9114,9 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
 
 	BT_DBG("%s", hdev->name);
 
-	expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
-	if (expected_len != data_len)
+	expected_len = struct_size(cp, data, cp->adv_data_len +
+				   cp->scan_rsp_len);
+	if (expected_len > data_len)
 		return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
 				       MGMT_STATUS_INVALID_PARAMS);
 
-- 
2.54.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* RE: [v1] Bluetooth: MGMT: Fix backward compatibility with userspace
  2026-06-02 20:56 [PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace Luiz Augusto von Dentz
@ 2026-06-02 22:09 ` bluez.test.bot
  2026-06-11 17:58 ` [PATCH v1] " patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-06-02 22:09 UTC (permalink / raw)
  To: linux-bluetooth, luiz.dentz

[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1104852

---Test result---

Test Summary:
CheckPatch                    PASS      0.74 seconds
VerifyFixes                   PASS      0.14 seconds
VerifySignedoff               PASS      0.14 seconds
GitLint                       PASS      0.33 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      27.61 seconds
CheckAllWarning               PASS      29.95 seconds
CheckSparse                   PASS      28.55 seconds
BuildKernel32                 PASS      26.59 seconds
TestRunnerSetup               PASS      590.34 seconds
TestRunner_mgmt-tester        FAIL      223.41 seconds
TestRunner_mesh-tester        FAIL      27.00 seconds
IncrementalBuild              PASS      26.37 seconds

Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.253 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.645 seconds
Mesh - Send cancel - 2                               Timed out    1.988 seconds


https://github.com/bluez/bluetooth-next/pull/277

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace
  2026-06-02 20:56 [PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace Luiz Augusto von Dentz
  2026-06-02 22:09 ` [v1] " bluez.test.bot
@ 2026-06-11 17:58 ` patchwork-bot+bluetooth
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-06-11 17:58 UTC (permalink / raw)
  To: Luiz Augusto von Dentz; +Cc: linux-bluetooth

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Tue,  2 Jun 2026 16:56:59 -0400 you wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> bluetoothd has a bug with makes it send extra bytes as part of
> MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the
> exact the expected length, relax this so only when the expected
> length is greater than the data length to cause an error since
> that would result in accessing invalid memory, otherwise just
> ignore the extra bytes.
> 
> [...]

Here is the summary with links:
  - [v1] Bluetooth: MGMT: Fix backward compatibility with userspace
    https://git.kernel.org/bluetooth/bluetooth-next/c/149324fc762c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-11 17:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-02 20:56 [PATCH v1] Bluetooth: MGMT: Fix backward compatibility with userspace Luiz Augusto von Dentz
2026-06-02 22:09 ` [v1] " bluez.test.bot
2026-06-11 17:58 ` [PATCH v1] " patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox