[PATCH 5.10 17/18] Bluetooth: L2CAP: Fix u8 overflow

public inbox for patches@lists.linux.dev
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Sungwoo Kim <iam@sung-woo.kim>,
	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 17/18] Bluetooth: L2CAP: Fix u8 overflow
Date: Mon, 19 Dec 2022 20:25:10 +0100	[thread overview]
Message-ID: <20221219182941.219721956@linuxfoundation.org> (raw)
In-Reply-To: <20221219182940.701087296@linuxfoundation.org>

From: Sungwoo Kim <iam@sung-woo.kim>

[ Upstream commit bcd70260ef56e0aee8a4fc6cd214a419900b0765 ]

By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases
multiple times and eventually it will wrap around the maximum number
(i.e., 255).
This patch prevents this by adding a boundary check with
L2CAP_MAX_CONF_RSP

Btmon log:
Bluetooth monitor ver 5.64
= Note: Linux version 6.1.0-rc2 (x86_64)                               0.264594
= Note: Bluetooth subsystem version 2.22                               0.264636
@ MGMT Open: btmon (privileged) version 1.22                  {0x0001} 0.272191
= New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0)          [hci0] 13.877604
@ RAW Open: 9496 (privileged) version 2.22                   {0x0002} 13.890741
= Open Index: 00:00:00:00:00:00                                [hci0] 13.900426
(...)
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #32 [hci0] 14.273106
        invalid packet size (12 != 1033)
        08 00 01 00 02 01 04 00 01 10 ff ff              ............
> ACL Data RX: Handle 200 flags 0x00 dlen 1547             #33 [hci0] 14.273561
        invalid packet size (14 != 1547)
        0a 00 01 00 04 01 06 00 40 00 00 00 00 00        ........@.....
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #34 [hci0] 14.274390
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04  ........@.......
> ACL Data RX: Handle 200 flags 0x00 dlen 2061             #35 [hci0] 14.274932
        invalid packet size (16 != 2061)
        0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00  ........@.......
= bluetoothd: Bluetooth daemon 5.43                                   14.401828
> ACL Data RX: Handle 200 flags 0x00 dlen 1033             #36 [hci0] 14.275753
        invalid packet size (12 != 1033)
        08 00 01 00 04 01 04 00 40 00 00 00              ........@...

Signed-off-by: Sungwoo Kim <iam@sung-woo.kim>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index c5e4d2b8cb0b..cf56582d298a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4449,7 +4449,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
 
 	chan->ident = cmd->ident;
 	l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, len, rsp);
-	chan->num_conf_rsp++;
+	if (chan->num_conf_rsp < L2CAP_CONF_MAX_CONF_RSP)
+		chan->num_conf_rsp++;
 
 	/* Reset config buffer. */
 	chan->conf_len = 0;
-- 
2.35.1

next prev parent reply	other threads:[~2022-12-19 19:28 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-12-19 19:24 [PATCH 5.10 00/18] 5.10.161-rc1 review Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 01/18] udf: Discard preallocation before extending file with a hole Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 02/18] udf: Fix preallocation discarding at indirect extent boundary Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 03/18] udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 04/18] udf: Fix extending file within last block Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 05/18] usb: gadget: uvc: Prevent buffer overflow in setup handler Greg Kroah-Hartman
2022-12-19 19:24 ` [PATCH 5.10 06/18] USB: serial: option: add Quectel EM05-G modem Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 07/18] USB: serial: cp210x: add Kamstrup RF sniffer PIDs Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 08/18] USB: serial: f81232: fix division by zero on line-speed change Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 09/18] USB: serial: f81534: " Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 10/18] xhci: Apply XHCI_RESET_TO_DEFAULT quirk to ADL-N Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 11/18] igb: Initialize mailbox message for VF reset Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 12/18] usb: ulpi: defer ulpi_register on ulpi_read_id timeout Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 13/18] HID: ite: Add support for Acer S1002 keyboard-dock Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 14/18] HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch 10E Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 15/18] HID: ite: Enable QUIRK_TOUCHPAD_ON_OFF_REPORT on Acer Aspire Switch V 10 Greg Kroah-Hartman
2022-12-19 19:25 ` [PATCH 5.10 16/18] HID: uclogic: Add HID_QUIRK_HIDINPUT_FORCE quirk Greg Kroah-Hartman
2022-12-19 19:25 ` Greg Kroah-Hartman [this message]
2022-12-19 19:25 ` [PATCH 5.10 18/18] net: loopback: use NET_NAME_PREDICTABLE for name_assign_type Greg Kroah-Hartman
2022-12-19 22:12 ` [PATCH 5.10 00/18] 5.10.161-rc1 review Pavel Machek
2022-12-19 22:36 ` Slade Watkins
2022-12-21  1:15   ` Slade Watkins
2022-12-19 23:21 ` Florian Fainelli
2022-12-20  0:22 ` Shuah Khan
2022-12-20  6:57 ` Naresh Kamboju
2022-12-20  9:18 ` Rudi Heitbaum
2022-12-20 11:18 ` Sudip Mukherjee (Codethink)
2022-12-20 14:48 ` Guenter Roeck
2022-12-20 15:33   ` Guenter Roeck
2022-12-20 17:50 ` Jon Hunter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:c5e4d2b8cb0 dfblob:cf56582d298 )
 OR (
bs:"[PATCH 5.10 17/18] Bluetooth: L2CAP: Fix u8 overflow" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221219182941.219721956@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=iam@sung-woo.kim \
    --cc=luiz.von.dentz@intel.com \
    --cc=patches@lists.linux.dev \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox