tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge tag 'for-net-2025-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth

Luiz Augusto von Dentz says:

====================
bluetooth pull request for net:

- btrtl: Fix memory leak in rtlbt_parse_firmware_v2()
- MGMT: Fix OOB access in parse_adv_monitor_pattern()
- hci_event: validate skb length for unknown CC opcode

* tag 'for-net-2025-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth:
Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
Bluetooth: btrtl: Fix memory leak in rtlbt_parse_firmware_v2()
Bluetooth: hci_event: validate skb length for unknown CC opcode
====================

Link: https://patch.msgid.link/20251031170959.590470-1-luiz.dentz@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 284987ab b7904323

+14 -5
+3 -1
drivers/bluetooth/btrtl.c
··· 625 625 len += entry->len; 626 626 } 627 627 628 - if (!len) 628 + if (!len) { 629 + kvfree(ptr); 629 630 return -EPERM; 631 + } 630 632 631 633 *_buf = ptr; 632 634 return len;
+1 -1
include/net/bluetooth/mgmt.h
··· 780 780 __u8 ad_type; 781 781 __u8 offset; 782 782 __u8 length; 783 - __u8 value[31]; 783 + __u8 value[HCI_MAX_AD_LENGTH]; 784 784 } __packed; 785 785 786 786 #define MGMT_OP_ADD_ADV_PATTERNS_MONITOR 0x0052
+7
net/bluetooth/hci_event.c
··· 4218 4218 } 4219 4219 4220 4220 if (i == ARRAY_SIZE(hci_cc_table)) { 4221 + if (!skb->len) { 4222 + bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status", 4223 + *opcode); 4224 + *status = HCI_ERROR_UNSPECIFIED; 4225 + return; 4226 + } 4227 + 4221 4228 /* Unknown opcode, assume byte 0 contains the status, so 4222 4229 * that e.g. __hci_cmd_sync() properly returns errors 4223 4230 * for vendor specific commands send by HCI drivers.
+3 -3
net/bluetooth/mgmt.c
··· 5395 5395 for (i = 0; i < pattern_count; i++) { 5396 5396 offset = patterns[i].offset; 5397 5397 length = patterns[i].length; 5398 - if (offset >= HCI_MAX_EXT_AD_LENGTH || 5399 - length > HCI_MAX_EXT_AD_LENGTH || 5400 - (offset + length) > HCI_MAX_EXT_AD_LENGTH) 5398 + if (offset >= HCI_MAX_AD_LENGTH || 5399 + length > HCI_MAX_AD_LENGTH || 5400 + (offset + length) > HCI_MAX_AD_LENGTH) 5401 5401 return MGMT_STATUS_INVALID_PARAMS; 5402 5402 5403 5403 p = kmalloc(sizeof(*p), GFP_KERNEL);