public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it
@ 2026-04-17  7:34 Pengpeng Hou
  2026-04-22 15:15 ` Luiz Augusto von Dentz
  2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
  0 siblings, 2 replies; 4+ messages in thread
From: Pengpeng Hou @ 2026-04-17  7:34 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: Kees Cook, Jakub Kicinski, Bastien Nocera, Thomas Gleixner,
	Ingo Molnar, linux-bluetooth, linux-kernel, Pengpeng Hou, stable

rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.

After the header has been stripped, the code does not re-check that the
frame still has at least one payload byte before dereferencing skb->data.
A malformed short frame can therefore trigger an out-of-bounds read.

Drop the frame if the optional credit byte is not present.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 net/bluetooth/rfcomm/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..964a78d473cc 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
 	}
 
 	if (pf && d->cfc) {
+		if (!skb->len)
+			goto drop;
+
 		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
 
 		d->tx_credits += credits;
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it
  2026-04-17  7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
@ 2026-04-22 15:15 ` Luiz Augusto von Dentz
  2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
  1 sibling, 0 replies; 4+ messages in thread
From: Luiz Augusto von Dentz @ 2026-04-22 15:15 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: Marcel Holtmann, Kees Cook, Jakub Kicinski, Bastien Nocera,
	Thomas Gleixner, Ingo Molnar, linux-bluetooth, linux-kernel,
	stable

Hi Pengpeng,

On Fri, Apr 17, 2026 at 3:35 AM Pengpeng Hou <pengpeng@iscas.ac.cn> wrote:
>
> rfcomm_recv_data() treats the first payload byte as a credit field when
> the UIH frame carries PF and credit-based flow control is enabled.
>
> After the header has been stripped, the code does not re-check that the
> frame still has at least one payload byte before dereferencing skb->data.
> A malformed short frame can therefore trigger an out-of-bounds read.
>
> Drop the frame if the optional credit byte is not present.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
>
> Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
> ---
>  net/bluetooth/rfcomm/core.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index 611a9a94151e..964a78d473cc 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
>         }
>
>         if (pf && d->cfc) {
> +               if (!skb->len)
> +                       goto drop;

We can probably use skb_pull_data below, which checks skb->len.

>                 u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
>
>                 d->tx_credits += credits;
> --
> 2.50.1 (Apple Git-155)
>


-- 
Luiz Augusto von Dentz

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
  2026-04-17  7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
  2026-04-22 15:15 ` Luiz Augusto von Dentz
@ 2026-04-23 15:31 ` Pengpeng Hou
  2026-04-24 18:50   ` patchwork-bot+bluetooth
  1 sibling, 1 reply; 4+ messages in thread
From: Pengpeng Hou @ 2026-04-23 15:31 UTC (permalink / raw)
  To: Marcel Holtmann, Luiz Augusto von Dentz
  Cc: Kees Cook, Jakub Kicinski, Ingo Molnar, Bastien Nocera,
	Thomas Gleixner, linux-bluetooth, linux-kernel, stable, pengpeng

rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.

After the header has been stripped, the PF/CFC path consumes that byte
with a direct skb->data dereference followed by skb_pull(). A malformed
short frame can reach this path without a byte available.

Use skb_pull_data() so the length check and pull happen together before
the returned credit byte is consumed.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
Changes since v1:
- use skb_pull_data() as suggested by Luiz Augusto von Dentz

diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index 611a9a94151e..d11bd5337d57 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -1715,9 +1715,12 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
 	}
 
 	if (pf && d->cfc) {
-		u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
+		u8 *credits = skb_pull_data(skb, 1);
 
-		d->tx_credits += credits;
+		if (!credits)
+			goto drop;
+
+		d->tx_credits += *credits;
 		if (d->tx_credits)
 			clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
 	}
-- 
2.50.1 (Apple Git-155)


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
  2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
@ 2026-04-24 18:50   ` patchwork-bot+bluetooth
  0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+bluetooth @ 2026-04-24 18:50 UTC (permalink / raw)
  To: Pengpeng Hou
  Cc: marcel, luiz.dentz, kees, kuba, mingo, hadess, tglx,
	linux-bluetooth, linux-kernel, stable

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>:

On Thu, 23 Apr 2026 23:31:00 +0800 you wrote:
> rfcomm_recv_data() treats the first payload byte as a credit field when
> the UIH frame carries PF and credit-based flow control is enabled.
> 
> After the header has been stripped, the PF/CFC path consumes that byte
> with a direct skb->data dereference followed by skb_pull(). A malformed
> short frame can reach this path without a byte available.
> 
> [...]

Here is the summary with links:
  - [v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()
    https://git.kernel.org/bluetooth/bluetooth-next/c/2940edce391d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-24 18:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-17  7:34 [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it Pengpeng Hou
2026-04-22 15:15 ` Luiz Augusto von Dentz
2026-04-23 15:31 ` [PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data() Pengpeng Hou
2026-04-24 18:50   ` patchwork-bot+bluetooth

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox