* [PATCH BlueZ] shared/bap: check pac cc and metadata length before use
@ 2025-10-11 18:45 Pauli Virtanen
2025-10-11 20:08 ` [BlueZ] " bluez.test.bot
2025-10-13 16:00 ` [PATCH BlueZ] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Pauli Virtanen @ 2025-10-11 18:45 UTC (permalink / raw)
To: linux-bluetooth; +Cc: Pauli Virtanen
Don't read past buffer end if device provided bogus values for PAC
caps/metadata lengths.
Use iov pull properly, and also check metadata LTV validity.
---
src/shared/bap.c | 28 ++++++++++++++++++++--------
1 file changed, 20 insertions(+), 8 deletions(-)
diff --git a/src/shared/bap.c b/src/shared/bap.c
index 9b7395223..710b89984 100644
--- a/src/shared/bap.c
+++ b/src/shared/bap.c
@@ -4708,7 +4708,7 @@ static void bap_parse_pacs(struct bt_bap *bap, uint8_t type,
for (i = 0; i < rsp->num_pac; i++) {
struct bt_bap_pac *pac;
struct bt_pac *p;
- struct bt_ltv *cc;
+ struct bt_ltv *cc, *m;
struct bt_pac_metadata *meta;
struct iovec data, metadata;
@@ -4725,29 +4725,41 @@ static void bap_parse_pacs(struct bt_bap *bap, uint8_t type,
pac = NULL;
- if (!bt_bap_debug_caps(iov.iov_base, p->cc_len, bap->debug_func,
- bap->debug_data))
- return;
-
cc = util_iov_pull_mem(&iov, p->cc_len);
if (!cc) {
DBG(bap, "Unable to parse PAC codec capabilities");
return;
}
+ if (!bt_bap_debug_caps(cc, p->cc_len, bap->debug_func,
+ bap->debug_data)) {
+ DBG(bap, "Invalid PAC codec capabilities LTV");
+ return;
+ }
+
meta = util_iov_pull_mem(&iov, sizeof(*meta));
if (!meta) {
DBG(bap, "Unable to parse PAC metadata");
return;
}
+ m = util_iov_pull_mem(&iov, meta->len);
+ if (!m) {
+ DBG(bap, "Unable to parse PAC metadata");
+ return;
+ }
+
+ if (!bt_bap_debug_metadata(meta->data, meta->len,
+ bap->debug_func, bap->debug_data)) {
+ DBG(bap, "Invalid PAC metadata LTV");
+ return;
+ }
+
data.iov_len = p->cc_len;
data.iov_base = cc;
metadata.iov_len = meta->len;
- metadata.iov_base = meta->data;
-
- util_iov_pull_mem(&iov, meta->len);
+ metadata.iov_base = m;
DBG(bap, "PAC #%u: type %u codec 0x%02x cc_len %u meta_len %u",
i, type, p->codec.id, p->cc_len, meta->len);
--
2.51.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* RE: [BlueZ] shared/bap: check pac cc and metadata length before use
2025-10-11 18:45 [PATCH BlueZ] shared/bap: check pac cc and metadata length before use Pauli Virtanen
@ 2025-10-11 20:08 ` bluez.test.bot
2025-10-13 16:00 ` [PATCH BlueZ] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2025-10-11 20:08 UTC (permalink / raw)
To: linux-bluetooth, pav
[-- Attachment #1: Type: text/plain, Size: 1865 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1010380
---Test result---
Test Summary:
CheckPatch PENDING 0.38 seconds
GitLint PENDING 0.30 seconds
BuildEll PASS 19.86 seconds
BluezMake PASS 2584.72 seconds
MakeCheck PASS 20.02 seconds
MakeDistcheck PASS 183.18 seconds
CheckValgrind PASS 236.33 seconds
CheckSmatch WARNING 306.91 seconds
bluezmakeextell PASS 127.36 seconds
IncrementalBuild PENDING 0.40 seconds
ScanBuild PASS 913.90 seconds
Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:
##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:
##############################
Test: CheckSmatch - WARNING
Desc: Run smatch tool with source
Output:
src/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structuressrc/shared/bap.c:317:25: warning: array of flexible structuressrc/shared/bap.c: note: in included file:./src/shared/ascs.h:88:25: warning: array of flexible structures
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH BlueZ] shared/bap: check pac cc and metadata length before use
2025-10-11 18:45 [PATCH BlueZ] shared/bap: check pac cc and metadata length before use Pauli Virtanen
2025-10-11 20:08 ` [BlueZ] " bluez.test.bot
@ 2025-10-13 16:00 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2025-10-13 16:00 UTC (permalink / raw)
To: Pauli Virtanen; +Cc: linux-bluetooth
Hello:
This patch was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Sat, 11 Oct 2025 21:45:45 +0300 you wrote:
> Don't read past buffer end if device provided bogus values for PAC
> caps/metadata lengths.
>
> Use iov pull properly, and also check metadata LTV validity.
> ---
> src/shared/bap.c | 28 ++++++++++++++++++++--------
> 1 file changed, 20 insertions(+), 8 deletions(-)
Here is the summary with links:
- [BlueZ] shared/bap: check pac cc and metadata length before use
https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=49d69b77fd4f
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-10-13 16:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-11 18:45 [PATCH BlueZ] shared/bap: check pac cc and metadata length before use Pauli Virtanen
2025-10-11 20:08 ` [BlueZ] " bluez.test.bot
2025-10-13 16:00 ` [PATCH BlueZ] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox