* [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 14:50 admin
2026-05-04 14:59 ` [BlueZ] " bluez.test.bot
0 siblings, 1 reply; 4+ messages in thread
From: admin @ 2026-05-04 14:50 UTC (permalink / raw)
To: linux-bluetooth@vger.kernel.org; +Cc: Luiz Augusto von Dentz
To: linux-bluetooth@vger.kernel.orgSubject: [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()
From: Martin Brodeur <admin@fluentlogic.org>
bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.
Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1.
Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
lib/bluetooth/sdp.c | 9 +++++++--
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
SDPERR("Unexpected end of packet");
return 0;
}
- *size = bt_get_be32(buf);
+ {
+ uint32_t val32 = bt_get_be32(buf);
+
+ if (val32 > INT_MAX) {
+ SDPERR("Sequence length overflow");
+ return 0;
+ }
+ *size = (int) val32;
+ }
scanned += sizeof(uint32_t);
break;
default:
^ permalink raw reply related [flat|nested] 4+ messages in thread
* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
2026-05-04 14:50 [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype() admin
@ 2026-05-04 14:59 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 14:59 UTC (permalink / raw)
To: linux-bluetooth, admin
[-- Attachment #1: Type: text/plain, Size: 541 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
error: patch failed: lib/bluetooth/sdp.c:1249
error: lib/bluetooth/sdp.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
2026-05-04 15:16 [PATCH BlueZ] " Martin Brodeur
@ 2026-05-04 16:28 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 16:28 UTC (permalink / raw)
To: linux-bluetooth, admin
[-- Attachment #1: Type: text/plain, Size: 382 bytes --]
This is an automated email and please do not reply to this email.
Dear Submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.
----- Output -----
Please resolve the issue and submit the patches again.
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
2026-05-04 16:01 [PATCH BlueZ] " Martin Brodeur
@ 2026-05-04 17:26 ` bluez.test.bot
0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 17:26 UTC (permalink / raw)
To: linux-bluetooth, admin
[-- Attachment #1: Type: text/plain, Size: 1986 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089386
---Test result---
Test Summary:
CheckPatch FAIL 0.34 seconds
GitLint PASS 0.23 seconds
BuildEll PASS 20.37 seconds
BluezMake PASS 669.02 seconds
MakeCheck PASS 0.90 seconds
MakeDistcheck PASS 247.28 seconds
CheckValgrind PASS 222.09 seconds
CheckSmatch PASS 354.69 seconds
bluezmakeextell PASS 189.55 seconds
IncrementalBuild PASS 643.57 seconds
ScanBuild PASS 1054.69 seconds
Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] sdp: fix overflow in sdp_extract_seqtype()
ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes")'
#68:
covered by commit 31e4fb1.
/github/workspace/src/patch/14553286.patch total: 1 errors, 0 warnings, 16 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
/github/workspace/src/patch/14553286.patch has style problems, please review.
NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
https://github.com/bluez/bluez/pull/2092
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-04 17:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 14:50 [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype() admin
2026-05-04 14:59 ` [BlueZ] " bluez.test.bot
-- strict thread matches above, loose matches on Subject: below --
2026-05-04 15:16 [PATCH BlueZ] " Martin Brodeur
2026-05-04 16:28 ` [BlueZ] " bluez.test.bot
2026-05-04 16:01 [PATCH BlueZ] " Martin Brodeur
2026-05-04 17:26 ` [BlueZ] " bluez.test.bot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox