[PATCH BlueZ 1/2] tools/smp-tester: don't write array out of bounds

[PATCH BlueZ 1/2] tools/smp-tester: don't write array out of bounds

[Pauli Virtanen]

Fix accessing pdu data out of bounds in SMP Server - Invalid Request.
---
 tools/smp-tester.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/tools/smp-tester.c b/tools/smp-tester.c
index 6c3de6451..04b7ee088 100644
--- a/tools/smp-tester.c
+++ b/tools/smp-tester.c
@@ -536,19 +536,25 @@ static void pair_device_complete(uint8_t status, uint16_t length,
 	tester_print("Pairing succeedded");
 }
 
-static const void *get_pdu(const uint8_t *pdu)
+static const void *get_pdu(const uint8_t *pdu, size_t len)
 {
 	struct test_data *data = tester_get_data();
 	const struct smp_data *smp = data->test_data;
 	uint8_t opcode = pdu[0];
 	static uint8_t buf[65];
 
+	g_assert(len > 0);
+
 	switch (opcode) {
 	case 0x01: /* Pairing Request */
-		memcpy(data->preq, pdu, sizeof(data->preq));
+		g_assert(len <= sizeof(data->preq));
+		memset(data->preq, 0, sizeof(data->preq));
+		memcpy(data->preq, pdu, len);
 		break;
 	case 0x02: /* Pairing Response */
-		memcpy(data->prsp, pdu, sizeof(data->prsp));
+		g_assert(len <= sizeof(data->prsp));
+		memset(data->prsp, 0, sizeof(data->prsp));
+		memcpy(data->prsp, pdu, len);
 		break;
 	case 0x03: /* Pairing Confirm */
 		buf[0] = pdu[0];
@@ -686,7 +692,7 @@ next:
 
 		req = &smp->req[test_data->counter];
 
-		pdu = get_pdu(req->send);
+		pdu = get_pdu(req->send, req->send_len);
 		bthost_send_cid(bthost, test_data->handle, SMP_CID, pdu,
 								req->send_len);
 		if (req->expect)
@@ -756,7 +762,7 @@ static void smp_new_conn(uint16_t handle, void *user_data)
 
 	tester_print("Sending SMP PDU");
 
-	pdu = get_pdu(req->send);
+	pdu = get_pdu(req->send, req->send_len);
 	bthost_send_cid(bthost, handle, SMP_CID, pdu, req->send_len);
 
 	if (!req->expect)
-- 
2.53.0

[PATCH BlueZ 2/2] tools/ioctl-tester: don't read array out of bounds

[Pauli Virtanen]

Fix accessing (invalid) param data out of bounds.
---
 tools/ioctl-tester.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/tools/ioctl-tester.c b/tools/ioctl-tester.c
index c29b30268..e0627eef5 100644
--- a/tools/ioctl-tester.c
+++ b/tools/ioctl-tester.c
@@ -62,6 +62,7 @@ struct ioctl_data {
 	uint32_t cmd;
 	const uint32_t opt;
 	const void *param;
+	size_t param_len;
 	int (*cmd_param_func)(void *param, uint32_t *length);
 	int expected_ioctl_err;
 	const void *block_bdaddr;
@@ -434,6 +435,7 @@ static const struct hci_dev_list_req dev_list_invalid_1_param = {
 static const struct ioctl_data dev_list_invalid_1 = {
 	.cmd = HCIGETDEVLIST,
 	.param = (void *)&dev_list_invalid_1_param,
+	.param_len = sizeof(dev_list_invalid_1_param),
 	.expected_ioctl_err = EINVAL,
 };
 
@@ -772,8 +774,13 @@ static void test_ioctl_common(const void *test_data)
 				tester_test_failed();
 				goto exit_free;
 			}
-		} else
+		} else {
+			if (ioctl_data->param_len) {
+				g_assert(req_len >= ioctl_data->param_len);
+				req_len = ioctl_data->param_len;
+			}
 			memcpy(req, ioctl_data->param, req_len);
+		}
 
 		tester_print("Command Parameter is updated");
 		test_condition_complete(data);
-- 
2.53.0

RE: [BlueZ,1/2] tools/smp-tester: don't write array out of bounds

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1311 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1077645

---Test result---

Test Summary:
CheckPatch                    PENDING   0.39 seconds
GitLint                       PENDING   0.37 seconds
BuildEll                      PASS      20.12 seconds
BluezMake                     PASS      668.43 seconds
MakeCheck                     PASS      18.88 seconds
MakeDistcheck                 PASS      245.81 seconds
CheckValgrind                 PASS      292.93 seconds
CheckSmatch                   PASS      347.66 seconds
bluezmakeextell               PASS      182.95 seconds
IncrementalBuild              PENDING   0.47 seconds
ScanBuild                     PASS      1043.08 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



https://github.com/bluez/bluez/pull/2019/checks

---
Regards,
Linux Bluetooth

Re: [PATCH BlueZ 1/2] tools/smp-tester: don't write array out of bounds

[patchwork-bot+bluetooth]

Hello:

This series was applied to bluetooth/bluez.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Mon,  6 Apr 2026 15:06:19 +0300 you wrote:
> Fix accessing pdu data out of bounds in SMP Server - Invalid Request.
> ---
>  tools/smp-tester.c | 16 +++++++++++-----
>  1 file changed, 11 insertions(+), 5 deletions(-)

Here is the summary with links:
  - [BlueZ,1/2] tools/smp-tester: don't write array out of bounds
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=46f2edd29833
  - [BlueZ,2/2] tools/ioctl-tester: don't read array out of bounds
    https://git.kernel.org/pub/scm/bluetooth/bluez.git/?id=053c7c61ef97

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html