From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com [209.85.128.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1BDDF37BE92 for ; Fri, 15 May 2026 06:25:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.44 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778826332; cv=none; b=QqeSpyFsvd/5TgDBKTp6mu+tMGqHk1/ku+EqhbAHWQ/L4uS9AyTsRfFih0w9ckMuk1QfflwniPYlwVSYs14aleMsfgXK/sGjI0WUcxpbNq0wcRV8HiSejqctRCfZUo6q2e5crlxxS6feOsNc5DEEQhO1CrnQQZTn5D+aDvmPk/I= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778826332; c=relaxed/simple; bh=zdMaYaIF/WCaUO1A22gCU0P+PgdUjBhJZEz17jz2Bt8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=l/xcBfWH/tTaX0ft8xqpOvsUtm2PyqvHCtWJvIlgKqgB2nbbFVXlvFYRDFMIcGcwdUMzwGzWZCPFrrddwUYadiWjNjBFb8qLbAv2dw0txdLLbJ/oZnhSQVCGjmP6tPmOOwUrnZVMwNlGrp2oHXQ65rAEln/FsqAozR90gmbKS50= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=gQ49ZISy; arc=none smtp.client-ip=209.85.128.44 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="gQ49ZISy" Received: by mail-wm1-f44.google.com with SMTP id 5b1f17b1804b1-48e8132c6d0so43753335e9.1 for ; Thu, 14 May 2026 23:25:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778826328; x=1779431128; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=R1gkR6dt+RMCWBmuIuEthasGqBXKYWjHEwzJZ2BcFqc=; b=gQ49ZISyin+W8yjszGpFSi7ZaUKdSAvM0tNvvdRwICjjvTSEFZTSWMUMuaG50FB22o lXpzYamlmkvSZjUSaESGg7LswCiqg5VtdQHB1rcLNZ/SYniUmSVlK0XY4PnzIzcUjZO1 z0v/KYppWaGYUsTGsmLQBpNQpGfjT/NrKwgHPXzoIVijd/vrEomX1vc9FeQBbjywU/76 VdgaQHICSOUuDPEwcs+YMp7JWS2fENdnum+FdoVuVVg9KWwMlKPY7rj2EXNNkjoscXUf wVtxDViEx1yiP93S1OAPGAoUdU2xdPFkmP42ft8MROjzL7DsXY6rQ4LVJLdprtOc0Bjv GQKg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778826328; x=1779431128; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=R1gkR6dt+RMCWBmuIuEthasGqBXKYWjHEwzJZ2BcFqc=; b=QGn0IAJgahnkSAVeqG4JauBAsB+SJgmxz9zxJpdQlMa7X4mko852ejQq94Xo3vwhKS sM57TQpCJM9MMLs3Dwh6Rs0bv7dvxDu07KfdBTUR9NJPZJfeb4iS3X1BmZ6IBu8BooZD hoKR/Jp4bcrNndmM1JYBAaoIDOF2tcR6XpfYFMuWQ2kAv6VI2nBD+yBc/nQ4VKOA6+yC 4IzVINhNlL23xgZSqLx8/s52qes8l4fjK42Vletfb1A1mmKe3MC8CLzX5Dlzt2apYNcY xSn5P+cBFkFK8mskz8PSz2FXHsupKsfpNphyqzKrbdLgwi4r4X5jp9NL3cVvERH12RFA Ipfw== X-Forwarded-Encrypted: i=1; AFNElJ8Tq0qDc82mMxXLLJurgSq5rrTCr6K7oqLkPEz7FbVsq/xMDq7kZhvF8DZzeM2EfAn1vj+xjtHCVLnIrV4=@vger.kernel.org X-Gm-Message-State: AOJu0YwiaeutHiOezC47Ww+XCyWCHftGSCF3uXrbQYXdhF8nvqjNsbsc zd5sarNcZzwdH6nao0fXFu9Af9sdSzyPKGg+1Nk1jp3/AYGBXbw//I3h X-Gm-Gg: Acq92OHcNHrx+oIsleYioFCx/0Agr3jNG5LQsjzqeCDNa+iCZ5T4IsmZHNjNo/+5wlP 7RMCkY9DZFkFHN6g2zQpMYdSb9eYHGkwJahS44kWO9BtYeweigsqs2UJ85sUf/d0Inca3S/jh9J HrWjPQhl4RKBOM39qZUKFWVWURsGMiOxPu+JzVt3Ur7JfkskwNv3KWKS4S91zXuygO8+5MPXq4e sFO2K7hBws0zhIM+hwUYyBsHWokapeYiE1Jsq+KwVIbM6EDAIdL/mYKvL6rk4NIlF4oHX8ZUA+w FzH87VLcffDGrdQqPtd55U3OU74luhRAtTp9oWGKdnRhJc7sIavRO7cu/E2AvNWl8NBPitD8I/f dUi8R4f4Hzc5Ffbz/yFIQGN1TxM3D4MCSYlXV/0l6cHBMyoNqgpXhKVcUgnuGaxxzfRJUudiCLj yf4r7VE6L0c6Kzr4P6Fhe7K3RcL+KbxuDXRfLNj5jp259KCkiwiiFhu5n7NRmzyVwvMlA4eDcDT d0xBn75bkKQpEplccHPGw== X-Received: by 2002:a05:600c:3f0f:b0:48f:99a9:bbcc with SMTP id 5b1f17b1804b1-48fe60ecb9cmr29688155e9.10.1778826328398; Thu, 14 May 2026 23:25:28 -0700 (PDT) Received: from dohko.chello.ie (188-141-5-72.dynamic.upc.ie. [188.141.5.72]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-45da0a17ec2sm11016277f8f.24.2026.05.14.23.25.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 May 2026 23:25:27 -0700 (PDT) From: David Carlier To: netdev@vger.kernel.org Cc: linux-bluetooth@vger.kernel.org, David Carlier , stable@vger.kernel.org, Marcel Holtmann , Luiz Augusto von Dentz , linux-kernel@vger.kernel.org Subject: [PATCH net] Bluetooth: ISO: drop ISO_END frames received without prior ISO_START Date: Fri, 15 May 2026 07:25:25 +0100 Message-ID: <20260515062525.57603-1-devnexen@gmail.com> X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit ISO data PDUs carry a packet-boundary flag indicating START, CONT, END or SINGLE. The ISO_CONT branch of iso_recv() guards against a missing ISO_START by checking conn->rx_len before touching conn->rx_skb, but ISO_END does not. If a peer sends an ISO_END as the first packet on a fresh ISO connection, conn->rx_skb is still NULL and conn->rx_len is zero, so skb_put(conn->rx_skb, ...) dereferences NULL and oopses. For BIS, where receivers sync to a broadcaster without pairing, any broadcaster on the air can trigger this. Mirror the ISO_CONT check at the top of ISO_END so a stray end fragment is logged and dropped instead of crashing the host. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Cc: stable@vger.kernel.org Assisted-by: Claude:claude-opus-4-7 Signed-off-by: David Carlier --- net/bluetooth/iso.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index 7cb2864fe872..b971281f0a2b 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -2593,6 +2593,11 @@ int iso_recv(struct hci_dev *hdev, u16 handle, struct sk_buff *skb, u16 flags) break; case ISO_END: + if (!conn->rx_len) { + BT_ERR("Unexpected end frame (len %d)", skb->len); + goto drop; + } + skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), skb->len); conn->rx_len -= skb->len; -- 2.53.0