[PATCH] Bluetooth: BNEP: validate control header bytes before reading them

[PATCH] Bluetooth: BNEP: validate control header bytes before reading them

[Pengpeng Hou]

`bnep_rx_frame()` pulls the first byte from the skb and immediately reads
the control type from the remaining data. Short control packets can leave
no bytes in the skb at that point.

The later control-message pull logic also reads `skb->data + 1` before
proving that the length byte or 16-bit filter length is actually present.

Validate the required control-header bytes before each dereference and
drop malformed frames through the existing bad-frame path.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 net/bluetooth/bnep/core.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
index d44987d4515c..0e7a7fb758c9 100644
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -299,18 +299,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
 {
 	struct net_device *dev = s->dev;
 	struct sk_buff *nskb;
-	u8 type, ctrl_type;
+	u8 type;
 
 	dev->stats.rx_bytes += skb->len;
 
+	if (!skb->len)
+		goto badframe;
+
 	type = *(u8 *) skb->data;
 	skb_pull(skb, 1);
-	ctrl_type = *(u8 *)skb->data;
 
 	if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
 		goto badframe;
 
 	if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
+		u8 ctrl_type;
+
+		if (!skb->len)
+			goto badframe;
+
+		ctrl_type = *(u8 *)skb->data;
+
 		if (bnep_rx_control(s, skb->data, skb->len) < 0) {
 			dev->stats.tx_errors++;
 			kfree_skb(skb);
@@ -326,12 +335,16 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
 		switch (ctrl_type) {
 		case BNEP_SETUP_CONN_REQ:
 			/* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
+			if (skb->len < 2)
+				goto badframe;
 			if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
 				goto badframe;
 			break;
 		case BNEP_FILTER_MULTI_ADDR_SET:
 		case BNEP_FILTER_NET_TYPE_SET:
 			/* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
+			if (skb->len < 3)
+				goto badframe;
 			if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
 				goto badframe;
 			break;
-- 
2.50.1 (Apple Git-155)

RE: Bluetooth: BNEP: validate control header bytes before reading them

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 2593 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1077246

---Test result---

Test Summary:
CheckPatch                    PENDING   0.28 seconds
GitLint                       PENDING   0.22 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      26.39 seconds
CheckAllWarning               PASS      28.88 seconds
CheckSparse                   PASS      27.39 seconds
BuildKernel32                 PASS      25.34 seconds
TestRunnerSetup               PASS      574.28 seconds
TestRunner_l2cap-tester       PASS      27.80 seconds
TestRunner_iso-tester         PASS      38.08 seconds
TestRunner_bnep-tester        PASS      6.46 seconds
TestRunner_mgmt-tester        FAIL      114.80 seconds
TestRunner_rfcomm-tester      PASS      9.41 seconds
TestRunner_sco-tester         FAIL      14.21 seconds
TestRunner_ioctl-tester       PASS      10.09 seconds
TestRunner_mesh-tester        FAIL      12.42 seconds
TestRunner_smp-tester         PASS      8.93 seconds
TestRunner_userchan-tester    PASS      6.65 seconds
IncrementalBuild              PENDING   0.40 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.107 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
BUG: sleeping function called from invalid context at net/core/sock.c:3782
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.784 seconds
Mesh - Send cancel - 2                               Timed out    1.995 seconds
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



---
Regards,
Linux Bluetooth

Re: [PATCH] Bluetooth: BNEP: validate control header bytes before reading them

[Paul Menzel]

Dear Pengpeng,


Thank you for your patch. Just a note, that the date/time mismataches:

     Received: from 0002-bnep.eml (unknown [111.196.245.197])
     	by APP-05 (Coremail) with SMTP id zQCowACHFwsG0dBp_7RzDA--.49444S2;
     	Sat, 04 Apr 2026 16:51:18 +0800 (CST)
     From: Pengpeng Hou <pengpeng@iscas.ac.cn>
     Date: Fri, 3 Apr 2026 16:56:12 +0800

Am 03.04.26 um 10:56 schrieb Pengpeng Hou:
> `bnep_rx_frame()` pulls the first byte from the skb and immediately reads
> the control type from the remaining data. Short control packets can leave
> no bytes in the skb at that point.
> 
> The later control-message pull logic also reads `skb->data + 1` before
> proving that the length byte or 16-bit filter length is actually present.
> 
> Validate the required control-header bytes before each dereference and
> drop malformed frames through the existing bad-frame path.

Do you have by chance a reproducer?

> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>   net/bluetooth/bnep/core.c | 17 +++++++++++++++--
>   1 file changed, 15 insertions(+), 2 deletions(-)
> 
> diff --git a/net/bluetooth/bnep/core.c b/net/bluetooth/bnep/core.c
> index d44987d4515c..0e7a7fb758c9 100644
> --- a/net/bluetooth/bnep/core.c
> +++ b/net/bluetooth/bnep/core.c
> @@ -299,18 +299,27 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
>   {
>   	struct net_device *dev = s->dev;
>   	struct sk_buff *nskb;
> -	u8 type, ctrl_type;
> +	u8 type;
>   
>   	dev->stats.rx_bytes += skb->len;
>   
> +	if (!skb->len)
> +		goto badframe;
> +
>   	type = *(u8 *) skb->data;
>   	skb_pull(skb, 1);
> -	ctrl_type = *(u8 *)skb->data;
>   
>   	if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
>   		goto badframe;
>   
>   	if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
> +		u8 ctrl_type;
> +
> +		if (!skb->len)
> +			goto badframe;
> +
> +		ctrl_type = *(u8 *)skb->data;
> +
>   		if (bnep_rx_control(s, skb->data, skb->len) < 0) {
>   			dev->stats.tx_errors++;
>   			kfree_skb(skb);
> @@ -326,12 +335,16 @@ static int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
>   		switch (ctrl_type) {
>   		case BNEP_SETUP_CONN_REQ:
>   			/* Pull: ctrl type (1 b), len (1 b), data (len bytes) */
> +			if (skb->len < 2)
> +				goto badframe;

gemini/gemini-3.1-pro-preview commented on this hunk.

https://sashiko.dev/#/patchset/20260404101002.2-bnep-pengpeng%40iscas.ac.cn

>   			if (!skb_pull(skb, 2 + *(u8 *)(skb->data + 1) * 2))
>   				goto badframe;
>   			break;
>   		case BNEP_FILTER_MULTI_ADDR_SET:
>   		case BNEP_FILTER_NET_TYPE_SET:
>   			/* Pull: ctrl type (1 b), len (2 b), data (len bytes) */
> +			if (skb->len < 3)
> +				goto badframe;
>   			if (!skb_pull(skb, 3 + *(u16 *)(skb->data + 1) * 2))
>   				goto badframe;
>   			break;


Kind regards,

Paul

Re: [PATCH] Bluetooth: BNEP: validate control header bytes before reading them

[Pengpeng Hou]

Hi Paul,

Thanks for the review.

The Date/Received mismatch is on me. I resent from a locally generated
patch file and preserved its original Date header, so the SMTP receive
time ended up being newer than the message Date. I will correct that on
the next resend.

I do not have a polished userspace reproducer prepared yet, but the bug
can be triggered with short malformed BNEP payloads passed to
bnep_rx_frame().

The minimal cases are:

  1. 0x01  (or 0x81)

     This is a 1-byte BNEP_CONTROL frame. After the initial skb_pull(skb, 1),
     skb->len becomes 0, but the current code still does

         ctrl_type = *(u8 *)skb->data;

  2. 0x81 0x01

     This is BNEP_CONTROL | BNEP_EXT_HEADER with ctrl_type
     BNEP_SETUP_CONN_REQ. Later, in the control-message pull path,
     the code reads

         *(u8 *)(skb->data + 1)

     for the length byte, even though only the ctrl byte is present.

  3. 0x81 0x03   or   0x81 0x05

     These are BNEP_FILTER_NET_TYPE_SET / BNEP_FILTER_MULTI_ADDR_SET.
     Later the code reads

         *(u16 *)(skb->data + 1)

     for the 16-bit length field, even though that field is absent.

So the issue is reproducible with truncated control skb payloads before
any valid length byte / 16-bit length field is available.

If useful, I can also turn one of the above cases into a small standalone
reproducer for the receive path.

Thanks,
Pengpeng

RE: Bluetooth: BNEP: validate control header bytes before reading them

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 6877 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1077246

---Test result---

Test Summary:
CheckPatch                    PENDING   0.41 seconds
GitLint                       PENDING   0.44 seconds
SubjectPrefix                 PASS      0.05 seconds
BuildKernel                   PASS      26.64 seconds
CheckAllWarning               PASS      29.72 seconds
CheckSparse                   PASS      28.65 seconds
BuildKernel32                 PASS      26.41 seconds
TestRunnerSetup               PASS      574.12 seconds
TestRunner_l2cap-tester       PASS      27.93 seconds
TestRunner_iso-tester         PASS      37.96 seconds
TestRunner_bnep-tester        PASS      6.37 seconds
TestRunner_mgmt-tester        FAIL      114.94 seconds
TestRunner_rfcomm-tester      PASS      9.57 seconds
TestRunner_sco-tester         FAIL      14.54 seconds
TestRunner_ioctl-tester       PASS      10.28 seconds
TestRunner_mesh-tester        FAIL      12.60 seconds
TestRunner_smp-tester         PASS      8.60 seconds
TestRunner_userchan-tester    PASS      6.69 seconds
TestRunner_6lowpan-tester     FAIL      8.87 seconds
IncrementalBuild              PENDING   0.38 seconds

Details
##############################
Test: CheckPatch - PENDING
Desc: Run checkpatch.pl script
Output:

##############################
Test: GitLint - PENDING
Desc: Run gitlint
Output:

##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.103 seconds
##############################
Test: TestRunner_sco-tester - FAIL
Desc: Run sco-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
7.0.0-rc2-g8eb098256f88 #1 Not tainted
------------------------------------------------------
kworker/u5:2/117 is trying to acquire lock:
ffff888001abe240 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}, at: sco_connect_cfm+0x358/0x8d0

but task is already holding lock:
ffff888002094c20 (&conn->lock){+.+.}-{3:3}, at: sco_connect_cfm+0x22d/0x8d0

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (&conn->lock){+.+.}-{3:3}:
       lock_acquire+0xf7/0x2c0
       _raw_spin_lock+0x2a/0x40
       sco_sock_connect+0x4d7/0x1280
       __sys_connect+0x1a3/0x260
       __x64_sys_connect+0x6e/0xb0
       do_syscall_64+0xa0/0x570
       entry_SYSCALL_64_after_hwframe+0x74/0x7c

-> #0 (sk_lock-AF_BLUETOOTH-BTPROTO_SCO){+.+.}-{0:0}:
       check_prev_add+0xe9/0xc70
       __lock_acquire+0x1457/0x1df0
       lock_acquire+0xf7/0x2c0
       lock_sock_nested+0x36/0xd0
       sco_connect_cfm+0x358/0x8d0
       hci_sync_conn_complete_evt+0x3d3/0x8e0
       hci_event_packet+0x74f/0xb10
       hci_rx_work+0x398/0xd00
       process_scheduled_works+0xb16/0x1ac0
       worker_thread+0x4ff/0xba0
       kthread+0x368/0x490
       ret_from_fork+0x498/0x7e0
       ret_from_fork_asm+0x19/0x30

other info that might help us debug this:

...
BUG: sleeping function called from invalid context at net/core/sock.c:3782
in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 117, name: kworker/u5:2
preempt_count: 1, expected: 0
RCU nest depth: 0, expected: 0
INFO: lockdep is turned off.
CPU: 0 UID: 0 PID: 117 Comm: kworker/u5:2 Not tainted 7.0.0-rc2-g8eb098256f88 #1 PREEMPT(lazy) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014
Workqueue: hci0 hci_rx_work
Call Trace:
 <TASK>
 dump_stack_lvl+0x49/0x60
 __might_resched+0x2ea/0x500
 lock_sock_nested+0x47/0xd0
 ? sco_connect_cfm+0x358/0x8d0
 sco_connect_cfm+0x358/0x8d0
 ? hci_debugfs_create_conn+0x190/0x210
 ? __pfx_sco_connect_cfm+0x10/0x10
 hci_sync_conn_complete_evt+0x3d3/0x8e0
 hci_event_packet+0x74f/0xb10
 ? __pfx_hci_sync_conn_complete_evt+0x10/0x10
 ? __pfx_hci_event_packet+0x10/0x10
 ? mark_held_locks+0x49/0x80
 ? lockdep_hardirqs_on_prepare+0xd4/0x180
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 hci_rx_work+0x398/0xd00
 process_scheduled_works+0xb16/0x1ac0
 ? __pfx_process_scheduled_works+0x10/0x10
 ? lock_acquire+0xf7/0x2c0
 ? lock_is_held_type+0x9b/0x110
 ? __pfx_hci_rx_work+0x10/0x10
 worker_thread+0x4ff/0xba0
 ? _raw_spin_unlock_irqrestore+0x2c/0x50
 ? __pfx_worker_thread+0x10/0x10
 kthread+0x368/0x490
 ? _raw_spin_unlock_irq+0x23/0x40
 ? __pfx_kthread+0x10/0x10
 ret_from_fork+0x498/0x7e0
 ? __pfx_ret_from_fork+0x10/0x10
 ? __switch_to+0x9e4/0xe50
 ? __switch_to_asm+0x32/0x60
...
Total: 30, Passed: 30 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.676 seconds
Mesh - Send cancel - 2                               Timed out    1.994 seconds
##############################
Test: TestRunner_6lowpan-tester - FAIL
Desc: Run 6lowpan-tester with test-runner
Output:
WARNING: possible circular locking dependency detected
7.0.0-rc2-g8eb098256f88 #1 Not tainted
------------------------------------------------------
kworker/0:1/11 is trying to acquire lock:
ffff8880026e0940 ((wq_completion)hci0#2){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x75/0x180

but task is already holding lock:
ffffffffb4a4d720 (rtnl_mutex){+.+.}-{4:4}, at: lowpan_unregister_netdev+0xd/0x30

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #4 (rtnl_mutex){+.+.}-{4:4}:
       lock_acquire+0xf7/0x2c0
       __mutex_lock+0x16b/0x1fc0
       lowpan_register_netdev+0x11/0x30
       chan_ready_cb+0x836/0xd00
       l2cap_recv_frame+0x6a06/0x8920
       l2cap_recv_acldata+0x790/0xdf0
       hci_rx_work+0x500/0xd00
       process_scheduled_works+0xb16/0x1ac0
       worker_thread+0x4ff/0xba0
       kthread+0x368/0x490
       ret_from_fork+0x498/0x7e0
       ret_from_fork_asm+0x19/0x30

-> #3 (&chan->lock#3/1){+.+.}-{4:4}:
       lock_acquire+0xf7/0x2c0
       __mutex_lock+0x16b/0x1fc0
       l2cap_chan_connect+0x74e/0x1980
       lowpan_control_write+0x523/0x660
       full_proxy_write+0x10b/0x190
       vfs_write+0x1c0/0xf60
       ksys_write+0xf1/0x1d0
       do_syscall_64+0xa0/0x570
       entry_SYSCALL_64_after_hwframe+0x74/0x7c

-> #2 (&conn->lock){+.+.}-{4:4}:
...
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: IncrementalBuild - PENDING
Desc: Incremental build with the patches in the series
Output:



https://github.com/bluez/bluetooth-next/pull/44/checks

---
Regards,
Linux Bluetooth