[PATCH] sdp: fix overflow in sdp_extract

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 17:36 Martin Brodeur
  2026-05-04 18:57 ` bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Martin Brodeur @ 2026-05-04 17:36 UTC (permalink / raw)
  To: linux-bluetooth; +Cc: Martin Brodeur

bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.

Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes").

Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
 lib/bluetooth/sdp.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..d0c681e 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,14 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
 			SDPERR("Unexpected end of packet");
 			return 0;
 		}
-		*size = bt_get_be32(buf);
+		{
+			uint32_t val32 = bt_get_be32(buf);
+			if (val32 > INT_MAX) {
+				SDPERR("Sequence length overflow");
+				return 0;
+			}
+			*size = (int) val32;
+		}
 		scanned += sizeof(uint32_t);
 		break;
 	default:
-- 
2.39.5 (Apple Git-154)



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: sdp: fix overflow in sdp_extract_seqtype()
  2026-05-04 17:36 [PATCH] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
@ 2026-05-04 18:57 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-04 18:57 UTC (permalink / raw)
  To: linux-bluetooth, admin

[-- Attachment #1: Type: text/plain, Size: 2743 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089431

---Test result---

Test Summary:
CheckPatch                    FAIL      0.43 seconds
GitLint                       FAIL      0.30 seconds
BuildEll                      PASS      21.25 seconds
BluezMake                     PASS      669.07 seconds
MakeCheck                     PASS      0.96 seconds
MakeDistcheck                 PASS      255.38 seconds
CheckValgrind                 PASS      228.99 seconds
CheckSmatch                   PASS      360.28 seconds
bluezmakeextell               PASS      188.30 seconds
IncrementalBuild              PASS      663.48 seconds
ScanBuild                     PASS      1086.34 seconds

Details
##############################
Test: CheckPatch - FAIL
Desc: Run checkpatch.pl script
Output:
sdp: fix overflow in sdp_extract_seqtype()
WARNING:COMMIT_LOG_LONG_LINE: Possible unwrapped commit description (prefer a maximum 75 chars per line)
#68: 
covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes").

WARNING:LINE_SPACING: Missing a blank line after declarations
#86: FILE: lib/bluetooth/sdp.c:1254:
+			uint32_t val32 = bt_get_be32(buf);
+			if (val32 > INT_MAX) {

/github/workspace/src/patch/14553405.patch total: 0 errors, 2 warnings, 15 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

/github/workspace/src/patch/14553405.patch has style problems, please review.

NOTE: Ignored message types: COMMIT_MESSAGE COMPLEX_MACRO CONST_STRUCT FILE_PATH_CHANGES MISSING_SIGN_OFF PREFER_PACKED SPDX_LICENSE_TAG SPLIT_STRING SSCANF_TO_KSTRTO

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

##############################
Test: GitLint - FAIL
Desc: Run gitlint
Output:
sdp: fix overflow in sdp_extract_seqtype()

WARNING: I3 - ignore-body-lines: gitlint will be switching from using Python regex 'match' (match beginning) to 'search' (match anywhere) semantics. Please review your ignore-body-lines.regex option accordingly. To remove this warning, set general.regex-style-search=True. More details: https://jorisroovers.github.io/gitlint/configuration/#regex-style-search
10: B1 Line exceeds max length (99>80): "covered by commit 31e4fb1498f4 ("monitor: Add decoding support for HIDS 1.1 flags and attributes")."

https://github.com/bluez/bluez/pull/2093

---
Regards,
Linux Bluetooth

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-04 18:57 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 17:36 [PATCH] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
2026-05-04 18:57 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox