[PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it

public inbox for linux-bluetooth@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it
@ 2026-04-17  7:34 Pengpeng Hou
  2026-04-17  8:36 ` bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Pengpeng Hou @ 2026-04-17  7:34 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: Kees Cook, Jakub Kicinski, Bastien Nocera, Thomas Gleixner,
	Ingo Molnar, linux-bluetooth, linux-kernel, Pengpeng Hou, stable

rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.

After the header has been stripped, the code does not re-check that the
frame still has at least one payload byte before dereferencing skb->data.
A malformed short frame can therefore trigger an out-of-bounds read.

Drop the frame if the optional credit byte is not present.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 net/bluetooth/rfcomm/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..964a78d473cc 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
 	}
 
 	if (pf && d->cfc) {
+		if (!skb->len)
+			goto drop;
+
 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
 
 		d->tx_credits += credits;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: Bluetooth: RFCOMM: require a credit byte before consuming it
  2026-04-17  7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
@ 2026-04-17  8:36 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-04-17  8:36 UTC (permalink / raw)
  To: linux-bluetooth, pengpeng

[-- Attachment #1: Type: text/plain, Size: 934 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1082376

---Test result---

Test Summary:
CheckPatch                    PASS      0.78 seconds
GitLint                       PASS      0.34 seconds
SubjectPrefix                 PASS      0.13 seconds
BuildKernel                   PASS      24.95 seconds
CheckAllWarning               PASS      27.68 seconds
CheckSparse                   PASS      26.20 seconds
BuildKernel32                 PASS      24.60 seconds
TestRunnerSetup               PASS      517.52 seconds
TestRunner_rfcomm-tester      PASS      9.45 seconds
IncrementalBuild              PASS      23.60 seconds



https://github.com/bluez/bluetooth-next/pull/97

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-04-17  8:36 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17  7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
2026-04-17  8:36 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox