[PATCH BlueZ] sdp: fix overflow in sdp_extract

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 14:50 admin
  2026-05-04 14:59 ` [BlueZ] " bluez.test.bot
  0 siblings, 1 reply; 4+ messages in thread
From: admin @ 2026-05-04 14:50 UTC (permalink / raw)
  To: linux-bluetooth@vger.kernel.org; +Cc: Luiz Augusto von Dentz

To: linux-bluetooth@vger.kernel.orgSubject: [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()

From: Martin Brodeur <admin@fluentlogic.org>

bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.

Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1.

Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
 lib/bluetooth/sdp.c | 9 +++++++--
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
                        SDPERR("Unexpected end of packet");
                        return 0;
                }
-       *size = bt_get_be32(buf);
+       {
+               uint32_t val32 = bt_get_be32(buf);
+
+               if (val32 > INT_MAX) {
+                       SDPERR("Sequence length overflow");
+                       return 0;
+               }
+               *size = (int) val32;
+       }
                scanned += sizeof(uint32_t);
                break;
        default:



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
  2026-05-04 14:50 [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype() admin
@ 2026-05-04 14:59 ` bluez.test.bot
  0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 14:59 UTC (permalink / raw)
  To: linux-bluetooth, admin

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

error: patch failed: lib/bluetooth/sdp.c:1249
error: lib/bluetooth/sdp.c: patch does not apply
hint: Use 'git am --show-current-patch' to see the failed patch

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 15:16 Martin Brodeur
  2026-05-04 16:28 ` [BlueZ] " bluez.test.bot
  0 siblings, 1 reply; 4+ messages in thread
From: Martin Brodeur @ 2026-05-04 15:16 UTC (permalink / raw)
  To: linux-bluetooth

From 5c7f4c201c85248499a1cc873dc6144b555d2e83 Mon Sep 17 00:00:00 2001
From: Martin Brodeur <admin@fluentlogic.org>
Date: Mon, 4 May 2026 09:48:37 -0400
Subject: [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()

bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.

Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1.

Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
 lib/bluetooth/sdp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
 			SDPERR("Unexpected end of packet");
 			return 0;
 		}
-		*size = bt_get_be32(buf);
+		{
+			uint32_t val32 = bt_get_be32(buf);
+
+			if (val32 > INT_MAX) {
+				SDPERR("Sequence length overflow");
+				return 0;
+			}
+			*size = (int) val32;
+		}
 		scanned += sizeof(uint32_t);
 		break;
 	default:
-- 
2.39.5 (Apple Git-154)


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
  2026-05-04 15:16 [PATCH BlueZ] " Martin Brodeur
@ 2026-05-04 16:28 ` bluez.test.bot
  0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 16:28 UTC (permalink / raw)
  To: linux-bluetooth, admin

[-- Attachment #1: Type: text/plain, Size: 382 bytes --]

This is an automated email and please do not reply to this email.

Dear Submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository.

----- Output -----

Please resolve the issue and submit the patches again.

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 16:01 Martin Brodeur
  2026-05-04 17:26 ` [BlueZ] " bluez.test.bot
  0 siblings, 1 reply; 4+ messages in thread
From: Martin Brodeur @ 2026-05-04 16:01 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Martin Brodeur

bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.

Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1.

Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
 lib/bluetooth/sdp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
 			SDPERR("Unexpected end of packet");
 			return 0;
 		}
-		*size = bt_get_be32(buf);
+		{
+			uint32_t val32 = bt_get_be32(buf);
+
+			if (val32 > INT_MAX) {
+				SDPERR("Sequence length overflow");
+				return 0;
+			}
+			*size = (int) val32;
+		}
 		scanned += sizeof(uint32_t);
 		break;
 	default:
-- 
2.39.5 (Apple Git-154)



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* RE: [BlueZ] sdp: fix overflow in sdp_extract_seqtype()
  2026-05-04 16:01 [PATCH BlueZ] " Martin Brodeur
@ 2026-05-04 17:26 ` bluez.test.bot
  0 siblings, 0 replies; 4+ messages in thread
From: bluez.test.bot @ 2026-05-04 17:26 UTC (permalink / raw)
  To: linux-bluetooth, admin

[-- Attachment #1: Type: text/plain, Size: 1986 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089386

---Test result---

Test Summary:
CheckPatch                    FAIL      0.34 seconds
GitLint                       PASS      0.23 seconds
BuildEll                      PASS      20.37 seconds
BluezMake                     PASS      669.02 seconds
MakeCheck                     PASS      0.90 seconds
MakeDistcheck                 PASS      247.28 seconds
CheckValgrind                 PASS      222.09 seconds
CheckSmatch                   PASS      354.69 seconds
bluezmakeextell               PASS      189.55 seconds
IncrementalBuild              PASS      643.57 seconds
ScanBuild                     PASS      1054.69 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
[BlueZ] sdp: fix overflow in sdp_extract_seqtype()
ERROR:GIT_COMMIT_ID: Please use git commit description style 'commit <12+ chars of sha1> ("<title line>")' - ie: 'commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes")'
#68: 
covered by commit 31e4fb1.

/github/workspace/src/patch/14553286.patch total: 1 errors, 0 warnings, 16 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14553286.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

https://github.com/bluez/bluez/pull/2092

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-05-04 17:26 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 14:50 [PATCH BlueZ] sdp: fix overflow in sdp_extract_seqtype() admin
2026-05-04 14:59 ` [BlueZ] " bluez.test.bot
  -- strict thread matches above, loose matches on Subject: below --
2026-05-04 15:16 [PATCH BlueZ] " Martin Brodeur
2026-05-04 16:28 ` [BlueZ] " bluez.test.bot
2026-05-04 16:01 [PATCH BlueZ] " Martin Brodeur
2026-05-04 17:26 ` [BlueZ] " bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox