[PATCH v3] sdp: fix overflow in sdp_extract

Linux bluetooth development
 help / color / mirror / Atom feed

* [PATCH v3] sdp: fix overflow in sdp_extract_seqtype()
@ 2026-05-04 19:10 Martin Brodeur
  2026-05-04 20:14 ` [v3] " bluez.test.bot
  0 siblings, 1 reply; 2+ messages in thread
From: Martin Brodeur @ 2026-05-04 19:10 UTC (permalink / raw)
  To: linux-bluetooth

>From 9eef1ada8e0ce68413c17223c673034365c641bd Mon Sep 17 00:00:00 2001
From: Martin Brodeur <admin@fluentlogic.org>
Date: Mon, 4 May 2026 13:34:09 -0400
Subject: [PATCH] sdp: fix overflow in sdp_extract_seqtype()

bt_get_be32() returns uint32_t. Assigning directly to the
int *size parameter sign-extends values greater than INT_MAX
to negative, bypassing sequence-length sanity checks in
extract_seq() and sdp_extract_pdu() callers.

Store the result in a uint32_t first and return an error if
the value exceeds INT_MAX. This closes the residual paths not
covered by commit 31e4fb1498f4 ("monitor: Add decoding support
for HIDS 1.1 flags and attributes").

Reported-by: Martin Brodeur <admin@fluentlogic.org>
---
 lib/bluetooth/sdp.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/bluetooth/sdp.c b/lib/bluetooth/sdp.c
index 7210ce0..3295fc0 100644
--- a/lib/bluetooth/sdp.c
+++ b/lib/bluetooth/sdp.c
@@ -1249,7 +1249,15 @@ int sdp_extract_seqtype(const uint8_t *buf, int bufsize, uint8_t *dtdp, int *siz
 			SDPERR("Unexpected end of packet");
 			return 0;
 		}
-		*size = bt_get_be32(buf);
+		{
+			uint32_t val32 = bt_get_be32(buf);
+
+			if (val32 > INT_MAX) {
+				SDPERR("Sequence length overflow");
+				return 0;
+			}
+			*size = (int) val32;
+		}
 		scanned += sizeof(uint32_t);
 		break;
 	default:
-- 
2.39.5 (Apple Git-154)



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* RE: [v3] sdp: fix overflow in sdp_extract_seqtype()
  2026-05-04 19:10 [PATCH v3] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
@ 2026-05-04 20:14 ` bluez.test.bot
  0 siblings, 0 replies; 2+ messages in thread
From: bluez.test.bot @ 2026-05-04 20:14 UTC (permalink / raw)
  To: linux-bluetooth, admin

[-- Attachment #1: Type: text/plain, Size: 989 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1089467

---Test result---

Test Summary:
CheckPatch                    PASS      0.35 seconds
GitLint                       PASS      0.24 seconds
BuildEll                      PASS      20.65 seconds
BluezMake                     PASS      677.29 seconds
MakeCheck                     PASS      0.92 seconds
MakeDistcheck                 PASS      250.32 seconds
CheckValgrind                 PASS      224.55 seconds
CheckSmatch                   PASS      355.79 seconds
bluezmakeextell               PASS      184.80 seconds
IncrementalBuild              PASS      669.95 seconds
ScanBuild                     PASS      1033.40 seconds



https://github.com/bluez/bluez/pull/2094

---
Regards,
Linux Bluetooth


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-04 20:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-04 19:10 [PATCH v3] sdp: fix overflow in sdp_extract_seqtype() Martin Brodeur
2026-05-04 20:14 ` [v3] " bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox