* Bluetooth: ISO: null ptr deref in iso_recv() on ISO_END without prior ISO_START
@ 2026-05-15 10:29 Alexandru Hossu
0 siblings, 0 replies; only message in thread
From: Alexandru Hossu @ 2026-05-15 10:29 UTC (permalink / raw)
To: linux-bluetooth; +Cc: marcel, luiz.dentz
Hi,
I found a null pointer dereference in iso_recv() in net/bluetooth/iso.c.
At line 2595-2596:
case ISO_END:
skb_copy_from_linear_data(skb,
skb_put(conn->rx_skb, skb->len), skb->len);
conn->rx_skb is passed to skb_put() without a NULL check.
It can be NULL in two cases. First, if ISO_END arrives without a prior
ISO_START frame, conn->rx_skb was never allocated. Second, the ISO_CONT
overflow error path at line 2581-2587 calls kfree_skb(conn->rx_skb) and
sets it to NULL. A subsequent ISO_END hits the same path.
The ISO_CONT case at line 2575 has a guard:
if (!conn->rx_len) {
goto drop;
}
ISO_END has no equivalent protection.
Suggested fix:
case ISO_END:
if (!conn->rx_skb)
goto drop;
skb_copy_from_linear_data(skb,
skb_put(conn->rx_skb, skb->len), skb->len);
Attack surface: CIS requires an established ACL connection. BIS requires
the victim to sync to a malicious broadcaster. Not zero-click but reachable
from an adjacent unauthenticated source on CIS paths.
Tested on linux-next commit e98d21c170b0 (2026-05-08).
Alexandru
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-15 10:29 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 10:29 Bluetooth: ISO: null ptr deref in iso_recv() on ISO_END without prior ISO_START Alexandru Hossu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox