* [PATCH v3] Bluetooth: MGMT: validate advertising TLV before type checks
@ 2026-05-28 9:45 Zhang Cen
2026-05-28 10:34 ` [v3] " bluez.test.bot
2026-05-28 14:20 ` [PATCH v3] " patchwork-bot+bluetooth
0 siblings, 2 replies; 3+ messages in thread
From: Zhang Cen @ 2026-05-28 9:45 UTC (permalink / raw)
To: Marcel Holtmann, Luiz Augusto von Dentz
Cc: linux-bluetooth, linux-kernel, Paul Menzel, zerocling0077,
2045gemini, Zhang Cen
tlv_data_is_valid() reads each advertising data field length from
data[i], then inspects data[i + 1] for managed EIR types before
checking that the current field still fits inside the supplied buffer.
A malformed field whose length byte is the last byte of the buffer can
therefore make the parser read one byte past the advertising data.
KASAN reported the following when a malformed MGMT_OP_ADD_ADVERTISING
request reached that path:
BUG: KASAN: vmalloc-out-of-bounds in tlv_data_is_valid()
Read of size 1
Call trace:
tlv_data_is_valid()
add_advertising()
hci_mgmt_cmd()
hci_sock_sendmsg()
Move the existing element-length check before any type-octet inspection
so each non-empty element is proven to contain its type byte before the
parser looks at data[i + 1].
Fixes: 2bb36870e8cb ("Bluetooth: Unify advertising instance flags check")
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
---
v3:
- Move the KASAN excerpt earlier in the commit message.
- Add Reviewed-by from Paul Menzel.
net/bluetooth/mgmt.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index de5bd6b637b20..027b266ccc747 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -8638,6 +8638,12 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (!cur_len)
continue;
+ /* If the current field length would exceed the total data
+ * length, then it's invalid.
+ */
+ if (i + cur_len >= len)
+ return false;
+
if (data[i + 1] == EIR_FLAGS &&
(!is_adv_data || flags_managed(adv_flags)))
return false;
@@ -8654,12 +8660,6 @@ static bool tlv_data_is_valid(struct hci_dev *hdev, u32 adv_flags, u8 *data,
if (data[i + 1] == EIR_APPEARANCE &&
appearance_managed(adv_flags))
return false;
-
- /* If the current field length would exceed the total data
- * length, then it's invalid.
- */
- if (i + cur_len >= len)
- return false;
}
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: [v3] Bluetooth: MGMT: validate advertising TLV before type checks
2026-05-28 9:45 [PATCH v3] Bluetooth: MGMT: validate advertising TLV before type checks Zhang Cen
@ 2026-05-28 10:34 ` bluez.test.bot
2026-05-28 14:20 ` [PATCH v3] " patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2026-05-28 10:34 UTC (permalink / raw)
To: linux-bluetooth, rollkingzzc
[-- Attachment #1: Type: text/plain, Size: 1718 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1102158
---Test result---
Test Summary:
CheckPatch PASS 0.56 seconds
VerifyFixes PASS 0.08 seconds
VerifySignedoff PASS 0.07 seconds
GitLint PASS 0.21 seconds
SubjectPrefix PASS 0.07 seconds
BuildKernel PASS 27.49 seconds
CheckAllWarning PASS 30.32 seconds
CheckSparse PASS 28.51 seconds
BuildKernel32 PASS 26.71 seconds
TestRunnerSetup PASS 596.18 seconds
TestRunner_mgmt-tester FAIL 227.64 seconds
TestRunner_mesh-tester FAIL 25.88 seconds
IncrementalBuild PASS 26.28 seconds
Details
##############################
Test: TestRunner_mgmt-tester - FAIL
Desc: Run mgmt-tester with test-runner
Output:
Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4
Failed Test Cases
Read Exp Feature - Success Failed 0.265 seconds
##############################
Test: TestRunner_mesh-tester - FAIL
Desc: Run mesh-tester with test-runner
Output:
Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0
Failed Test Cases
Mesh - Send cancel - 1 Timed out 1.836 seconds
Mesh - Send cancel - 2 Timed out 1.994 seconds
https://github.com/bluez/bluetooth-next/pull/252
---
Regards,
Linux Bluetooth
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v3] Bluetooth: MGMT: validate advertising TLV before type checks
2026-05-28 9:45 [PATCH v3] Bluetooth: MGMT: validate advertising TLV before type checks Zhang Cen
2026-05-28 10:34 ` [v3] " bluez.test.bot
@ 2026-05-28 14:20 ` patchwork-bot+bluetooth
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+bluetooth @ 2026-05-28 14:20 UTC (permalink / raw)
To: Cen Zhang
Cc: marcel, luiz.dentz, linux-bluetooth, linux-kernel, pmenzel,
zerocling0077, 2045gemini
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:
On Thu, 28 May 2026 17:45:06 +0800 you wrote:
> tlv_data_is_valid() reads each advertising data field length from
> data[i], then inspects data[i + 1] for managed EIR types before
> checking that the current field still fits inside the supplied buffer.
>
> A malformed field whose length byte is the last byte of the buffer can
> therefore make the parser read one byte past the advertising data.
>
> [...]
Here is the summary with links:
- [v3] Bluetooth: MGMT: validate advertising TLV before type checks
https://git.kernel.org/bluetooth/bluetooth-next/c/899a200a7648
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-05-28 14:20 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28 9:45 [PATCH v3] Bluetooth: MGMT: validate advertising TLV before type checks Zhang Cen
2026-05-28 10:34 ` [v3] " bluez.test.bot
2026-05-28 14:20 ` [PATCH v3] " patchwork-bot+bluetooth
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox