From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB21E386C35; Tue, 24 Mar 2026 02:35:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=220.197.31.5 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774319735; cv=none; b=CEgZJFCuWhUInSN5HxGejEy3GRTA8LZmjJSI67esXS2DobqhujuEClyPSqdpzYiqJSPD8jQArzwXwooAm4Kw1MsgzyJmZKD1KTn3J43H/itO9yEPmndcxT0znfohXV54MLTc/0rI/CRbT7sJ9acuTkcHbwhP13q4R4zUbUHMVN0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774319735; c=relaxed/simple; bh=d6UOTi2oJTOJsf8nOARM+VEycJjKk6B2ZgEYG+R0ACE=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=i/ActY+CnekexRrvAZgvjrCyAXtBsppbqARLnW5eMVn+jT2ROkqbU450KD0++E33R6ddYEJSBu4ioLROgfXy/S95TgwUKV9QY5K//CPzrX/Fcosos29hzIfDspPsy+o13bmHx79rRGE6OnkmSeboTCaB0jAWO4KtkytCkLHaF4o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com; spf=pass smtp.mailfrom=163.com; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b=UUT0PtpM; arc=none smtp.client-ip=220.197.31.5 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=163.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=163.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=163.com header.i=@163.com header.b="UUT0PtpM" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:To:Subject:Date:Message-Id:MIME-Version; bh=he olnZZ/TAm2Z544mhYf3kljQ8hQo1beKRZUx0uD+PY=; b=UUT0PtpM+sAIwPxzv9 BhCf2G9vDubGuRoEHZUVQwfFYgUS3U6idS4rhRV15lTDmreGDAH1jTXkebRl55Kz PRJ16MLIE1dGSW/T/SsyzF3BNs3nDFwsdO5/ALMWmsr0PPZLxcm9B1mEO4SliLkd EfMJedZ4dupE96BQQVfcgTLMw= Received: from pek-lpg-core5.wrs.com (unknown []) by gzga-smtp-mtada-g0-1 (Coremail) with SMTP id _____wD31+4a+MFpBisSBA--.24406S2; Tue, 24 Mar 2026 10:34:04 +0800 (CST) From: Robert Garcia To: stable@vger.kernel.org, Luiz Augusto von Dentz Cc: Marcel Holtmann , Robert Garcia , Johan Hedberg , "David S . Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 6.1.y] Bluetooth: eir: Fix possible crashes on eir_create_adv_data Date: Tue, 24 Mar 2026 10:34:02 +0800 Message-Id: <20260324023402.2607704-1-rob_garcia@163.com> X-Mailer: git-send-email 2.34.1 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-CM-TRANSID:_____wD31+4a+MFpBisSBA--.24406S2 X-Coremail-Antispam: 1Uf129KBjvJXoWxWw18ur1rAF43XF45Jry7Wrg_yoW5uF4rpF Z8KF15ZrZ7Jw1UJrsFyay8Aa13Jr4UWry29rWDZFySqrn0vrZ7t34IkFySqF1ayFWqkF47 Z3W0qrW5urWqkw7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0piwID7UUUUU= X-CM-SenderInfo: 5uresw5dufxti6rwjhhfrp/xtbC5RwQe2nB+BzAhAAA3a From: Luiz Augusto von Dentz [ Upstream commit 47c03902269aff377f959dc3fd94a9733aa31d6e ] eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. Link: https://github.com/bluez/bluez/issues/1117#issuecomment-2958244066 Fixes: 01ce70b0a274 ("Bluetooth: eir: Move EIR/Adv Data functions to its own file") Signed-off-by: Luiz Augusto von Dentz [ Use pdu.data instead of pdu->data in hci_set_ext_adv_data_sync() to keep context consistency. ] Signed-off-by: Robert Garcia --- net/bluetooth/eir.c | 7 ++++--- net/bluetooth/eir.h | 2 +- net/bluetooth/hci_sync.c | 5 +++-- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c index 3e1713673ecc..3f72111ba651 100644 --- a/net/bluetooth/eir.c +++ b/net/bluetooth/eir.c @@ -242,7 +242,7 @@ u8 eir_create_per_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) return ad_len; } -u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) +u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr, u8 size) { struct adv_info *adv = NULL; u8 ad_len = 0, flags = 0; @@ -286,7 +286,7 @@ u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) /* If flags would still be empty, then there is no need to * include the "Flags" AD field". */ - if (flags) { + if (flags && (ad_len + eir_precalc_len(1) <= size)) { ptr[0] = 0x02; ptr[1] = EIR_FLAGS; ptr[2] = flags; @@ -316,7 +316,8 @@ u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr) } /* Provide Tx Power only if we can provide a valid value for it */ - if (adv_tx_power != HCI_TX_POWER_INVALID) { + if (adv_tx_power != HCI_TX_POWER_INVALID && + (ad_len + eir_precalc_len(1) <= size)) { ptr[0] = 0x02; ptr[1] = EIR_TX_POWER; ptr[2] = (u8)adv_tx_power; diff --git a/net/bluetooth/eir.h b/net/bluetooth/eir.h index 0df19f2f4af9..4497f8fd5fef 100644 --- a/net/bluetooth/eir.h +++ b/net/bluetooth/eir.h @@ -9,7 +9,7 @@ void eir_create(struct hci_dev *hdev, u8 *data); -u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr); +u8 eir_create_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr, u8 size); u8 eir_create_scan_rsp(struct hci_dev *hdev, u8 instance, u8 *ptr); u8 eir_create_per_adv_data(struct hci_dev *hdev, u8 instance, u8 *ptr); diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c index 5ad09900f8ff..58003f2f6f36 100644 --- a/net/bluetooth/hci_sync.c +++ b/net/bluetooth/hci_sync.c @@ -1248,7 +1248,8 @@ static int hci_set_ext_adv_data_sync(struct hci_dev *hdev, u8 instance) return 0; } - len = eir_create_adv_data(hdev, instance, pdu.data); + len = eir_create_adv_data(hdev, instance, pdu.data, + HCI_MAX_EXT_AD_LENGTH); pdu.cp.length = len; pdu.cp.handle = instance; @@ -1279,7 +1280,7 @@ static int hci_set_adv_data_sync(struct hci_dev *hdev, u8 instance) memset(&cp, 0, sizeof(cp)); - len = eir_create_adv_data(hdev, instance, cp.data); + len = eir_create_adv_data(hdev, instance, cp.data, sizeof(cp.data)); /* There's nothing to do if the data hasn't changed */ if (hdev->adv_data_len == len && -- 2.34.1