* [PATCH v2] Bluetooth: btmtk: fix OOB read from short WMT event SKB
@ 2026-04-15 22:25 Tristan Madani
2026-04-15 23:13 ` [v2] " bluez.test.bot
0 siblings, 1 reply; 2+ messages in thread
From: Tristan Madani @ 2026-04-15 22:25 UTC (permalink / raw)
To: Sean Wang; +Cc: Marcel Holtmann, Luiz Augusto von Dentz, linux-bluetooth
From: Tristan Madani <tristan@talencesecurity.com>
The WMT event response SKB is cast to typed structs (7, 9, and 18
bytes) without checking that the SKB contains enough data. Short
firmware responses cause out-of-bounds reads from SKB tailroom.
Add length validation before each struct access.
Fixes: d019930b0049 ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
Note: v2 resubmission -- original sent via Gmail had HTML rendering
issues. This version uses git send-email for plain-text formatting.
drivers/bluetooth/btmtk.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/bluetooth/btmtk.c b/drivers/bluetooth/btmtk.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/bluetooth/btmtk.c
+++ b/drivers/bluetooth/btmtk.c
@@ -658,6 +658,8 @@ int btmtk_process_wmt_evt(struct btmtk_data *data, struct sk_buff *evt_skb)
struct btmtk_hci_wmt_evt_funcc *wmt_evt_funcc;
+ if (data->evt_skb->len < sizeof(*wmt_evt))
+ return -EINVAL;
wmt_evt = (struct btmtk_hci_wmt_evt *)data->evt_skb->data;
if (wmt_evt->whdr.op != hdr->op) {
@@ -674,6 +676,9 @@ int btmtk_process_wmt_evt(struct btmtk_data *data, struct sk_buff *evt_skb)
switch (wmt_evt->whdr.op) {
case BTMTK_WMT_FUNC_CTRL:
+ if (data->evt_skb->len < sizeof(*wmt_evt_funcc))
+ return -EINVAL;
+
wmt_evt_funcc = (struct btmtk_hci_wmt_evt_funcc *)wmt_evt;
if (be16_to_cpu(wmt_evt_funcc->status) == 0x404)
^ permalink raw reply [flat|nested] 2+ messages in thread
* RE: [v2] Bluetooth: btmtk: fix OOB read from short WMT event SKB
2026-04-15 22:25 [PATCH v2] Bluetooth: btmtk: fix OOB read from short WMT event SKB Tristan Madani
@ 2026-04-15 23:13 ` bluez.test.bot
0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-04-15 23:13 UTC (permalink / raw)
To: linux-bluetooth, tristmd
[-- Attachment #1: Type: text/plain, Size: 478 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: corrupt patch at line 28
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-04-15 23:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-15 22:25 [PATCH v2] Bluetooth: btmtk: fix OOB read from short WMT event SKB Tristan Madani
2026-04-15 23:13 ` [v2] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox