From: Pengpeng Hou <pengpeng@iscas.ac.cn>
To: Marcel Holtmann <marcel@holtmann.org>,
Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
pengpeng@iscas.ac.cn
Subject: [PATCH] Bluetooth: BNEP: validate control header bytes before reading them
Date: Fri, 3 Apr 2026 16:56:12 +0800 [thread overview]
Message-ID: <20260404101002.2-bnep-pengpeng@iscas.ac.cn> (raw)
`bnep_rx_frame()` pulls the first byte from the skb and immediately reads
the control type from the remaining data. Short control packets can leave
no bytes in the skb at that point.
The later control-message pull logic also reads `skb->data + 1` before
proving that the length byte or 16-bit filter length is actually present.
Validate the required control-header bytes before each dereference and
drop malformed frames through the existing bad-frame path.
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
net/bluetooth/bnep/core.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index d44987d4515c..0e7a7fb758c9 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -299,18 +299,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
{
struct net_device *dev = s->dev;
struct sk_buff *nskb;
- u8 type, ctrl_type;
+ u8 type;
dev->stats.rx_bytes += skb->len;
+ if (!skb->len)
+ goto badframe;
+
type = *(u8 *) skb->data;
skb_pull(skb, 1);
- ctrl_type = *(u8 *)skb->data;
if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
goto badframe;
if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
+ u8 ctrl_type;
+
+ if (!skb->len)
+ goto badframe;
+
+ ctrl_type = *(u8 *)skb->data;
+
if (bnep_rx_control(s, skb->data, skb->len) < 0) {
dev->stats.tx_errors++;
kfree_skb(skb);
@@ -326,12 +335,16 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
switch (ctrl_type) {
case BNEP_SETUP_CONN_REQ:
/* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
+ if (skb->len < 2)
+ goto badframe;
if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
goto badframe;
break;
case BNEP_FILTER_MULTI_ADDR_SET:
case BNEP_FILTER_NET_TYPE_SET:
/* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
+ if (skb->len < 3)
+ goto badframe;
if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
goto badframe;
break;
--
2.50.1 (Apple Git-155)
next reply other threads:[~2026-04-04 8:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 8:56 Pengpeng Hou [this message]
2026-04-04 9:54 ` Bluetooth: BNEP: validate control header bytes before reading them bluez.test.bot
2026-04-07 16:44 ` [PATCH] " Paul Menzel
2026-04-08 1:15 ` Pengpeng Hou
2026-04-09 20:21 ` bluez.test.bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260404101002.2-bnep-pengpeng@iscas.ac.cn \
--to=pengpeng@iscas.ac.cn \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.dentz@gmail.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox