[PATCH] Bluetooth: L2CAP: validate connectionless PSM length

[PATCH] Bluetooth: L2CAP: validate connectionless PSM length

[Samuel Moelius]

Connectionless L2CAP frames carry a two-byte PSM at the start of the
payload.  l2cap_recv_frame() currently reads that PSM unconditionally
after validating only the outer L2CAP length.

A malformed connectionless frame with a zero- or one-byte payload can
therefore make the parser read beyond the advertised skb payload and use
tailroom bytes as part of the PSM.  A VHCI-backed QEMU reproducer
injected a one-byte connectionless payload and reached the unchecked
read.

Reject connectionless frames that cannot contain the PSM before reading
or pulling it.  This preserves all valid connectionless frames while
dropping only structurally incomplete packets.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>
---
 net/bluetooth/l2cap_core.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c4ccfbda9d78..a9353fa91588 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -7026,6 +7026,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb)
 		break;
 
 	case L2CAP_CID_CONN_LESS:
+		if (skb->len < L2CAP_PSMLEN_SIZE) {
+			kfree_skb(skb);
+			break;
+		}
+
 		psm = get_unaligned((__le16 *) skb->data);
 		skb_pull(skb, L2CAP_PSMLEN_SIZE);
 		l2cap_conless_channel(conn, psm, skb);
-- 
2.43.0

RE: Bluetooth: L2CAP: validate connectionless PSM length

[bluez.test.bot]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108158

---Test result---

Test Summary:
CheckPatch                    PASS      0.60 seconds
VerifyFixes                   PASS      0.09 seconds
VerifySignedoff               PASS      0.09 seconds
GitLint                       PASS      0.25 seconds
SubjectPrefix                 PASS      0.11 seconds
BuildKernel                   PASS      27.18 seconds
CheckAllWarning               PASS      29.26 seconds
CheckSparse                   PASS      27.84 seconds
BuildKernel32                 PASS      26.17 seconds
TestRunnerSetup               PASS      578.06 seconds
TestRunner_l2cap-tester       PASS      60.04 seconds
IncrementalBuild              PASS      25.60 seconds



https://github.com/bluez/bluetooth-next/pull/294

---
Regards,
Linux Bluetooth

Re: Bluetooth: L2CAP: validate connectionless PSM length

[Victor Yeo]

unsubscribe

On Mon, Jun 8, 2026 at 6:59 PM <bluez.test.bot@gmail.com> wrote:
>
> This is automated email and please do not reply to this email!
>
> Dear submitter,
>
> Thank you for submitting the patches to the linux bluetooth mailing list.
> This is a CI test results with your patch series:
> PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=1108158
>
> ---Test result---
>
> Test Summary:
> CheckPatch                    PASS      0.60 seconds
> VerifyFixes                   PASS      0.09 seconds
> VerifySignedoff               PASS      0.09 seconds
> GitLint                       PASS      0.25 seconds
> SubjectPrefix                 PASS      0.11 seconds
> BuildKernel                   PASS      27.18 seconds
> CheckAllWarning               PASS      29.26 seconds
> CheckSparse                   PASS      27.84 seconds
> BuildKernel32                 PASS      26.17 seconds
> TestRunnerSetup               PASS      578.06 seconds
> TestRunner_l2cap-tester       PASS      60.04 seconds
> IncrementalBuild              PASS      25.60 seconds
>
>
>
> https://github.com/bluez/bluetooth-next/pull/294
>
> ---
> Regards,
> Linux Bluetooth
>