mirrors/linux
2
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-05-16 09:02:21 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
bda93eec78cdbfe5cda00785cefebd443e56b88b
linux/net/bluetooth
History
Keenan Dong bda93eec78 Bluetooth: MGMT: validate mesh send advertising payload length 
mesh_send() currently bounds MGMT_OP_MESH_SEND by total command
length, but it never verifies that the bytes supplied for the
flexible adv_data[] array actually match the embedded adv_data_len
field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a
truncated command can still pass the existing 20..50 byte range
check and later drive the async mesh send path past the end of the
queued command buffer.

Keep rejecting zero-length and oversized advertising payloads, but
validate adv_data_len explicitly and require the command length to
exactly match the flexible array size before queueing the request.

Fixes: b338d91703 ("Bluetooth: Implement support for Mesh")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
2026-04-01 16:47:19 -04:00
..
bnep
Bluetooth: bnep: fix wild-memory-access in proto_unregister
2024-10-16 16:10:03 -04:00
cmtp
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
hidp
Bluetooth: HIDP: Fix possible UAF
2026-03-12 15:27:46 -04:00
rfcomm
Convert 'alloc_flex' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
6lowpan.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
af_bluetooth.c
Bluetooth: ISO: add socket option to report packet seqnum via CMSG
2025-07-23 10:31:19 -04:00
aosp.c
Bluetooth: aosp: Fix typo in comment
2025-07-23 10:30:18 -04:00
aosp.h
Bluetooth: aosp: Support AOSP Bluetooth Quality Report
2021-11-02 19:37:52 +01:00
coredump.c
Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
2025-07-23 10:33:57 -04:00
ecdh_helper.c
Bluetooth: Use crypto_wait_req
2023-02-13 18:34:48 +08:00
ecdh_helper.h
Fix misc new gcc warnings
2021-04-27 17:05:53 -07:00
eir.c
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
2025-06-11 16:29:22 -04:00
eir.h
Bluetooth: eir: Fix possible crashes on eir_create_adv_data
2025-06-11 16:29:22 -04:00
hci_codec.c
Bluetooth: Fix support for Read Local Supported Codecs V2
2022-12-02 13:09:31 -08:00
hci_codec.h
Bluetooth: Add support for Read Local Supported Codecs V2
2021-09-07 14:09:18 -07:00
hci_conn.c
Bluetooth: hci_conn: fix potential UAF in set_cig_params_sync
2026-04-01 16:46:33 -04:00
hci_core.c
Bluetooth: hci_sync: annotate data-races around hdev->req_status
2026-03-19 14:43:20 -04:00
hci_debugfs.c
Bluetooth: hci_dev: replace 'quirks' integer by 'quirk_flags' bitmap
2025-07-16 15:37:53 -04:00
hci_debugfs.h
Bluetooth: hci_core: Move all debugfs handling to hci_debugfs.c
2021-09-22 16:17:13 +02:00
hci_drv.c
Bluetooth: Introduce HCI Driver protocol
2025-05-21 10:28:07 -04:00
hci_event.c
Bluetooth: hci_event: fix potential UAF in hci_le_remote_conn_param_req_evt
2026-04-01 16:46:55 -04:00
hci_sock.c
Bluetooth: purge error queues in socket destructors
2026-02-23 15:30:16 -05:00
hci_sync.c
Bluetooth: hci_sync: Fix UAF in le_read_features_complete
2026-04-01 16:45:24 -04:00
hci_sysfs.c
Bluetooth: Allow reset via sysfs
2025-01-15 10:37:07 -05:00
iso.c
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
2026-02-26 08:00:13 -08:00
Kconfig
Bluetooth: Remove BT_HS
2024-03-06 17:22:39 -05:00
l2cap_core.c
Bluetooth: L2CAP: Fix ERTM re-init and zero pdu_len infinite loop
2026-03-25 15:32:32 -04:00
l2cap_sock.c
Bluetooth: L2CAP: Fix null-ptr-deref on l2cap_sock_ready_cb
2026-03-19 14:44:04 -04:00
leds.c
Bluetooth: Use led_set_brightness() in LED trigger activate() callback
2024-09-10 13:06:11 -04:00
leds.h
treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500
2019-06-19 17:09:55 +02:00
lib.c
Bluetooth: Fix typos in comments
2025-07-23 10:30:48 -04:00
Makefile
Bluetooth: Introduce HCI Driver protocol
2025-05-21 10:28:07 -04:00
mgmt_config.c
Bluetooth: mgmt: Add idle_timeout to configurable system parameters
2026-01-29 13:24:22 -05:00
mgmt_config.h
Bluetooth: mgmt: Add commands for runtime configuration
2020-06-18 13:11:03 +03:00
mgmt_util.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
mgmt_util.h
Bluetooth: MGMT: Fix possible UAFs
2025-09-22 10:30:00 -04:00
mgmt.c
Bluetooth: MGMT: validate mesh send advertising payload length
2026-04-01 16:47:19 -04:00
msft.c
Convert 'alloc_obj' family to use the new default GFP_KERNEL argument
2026-02-21 17:09:51 -08:00
msft.h
Bluetooth: msft: fix slab-use-after-free in msft_do_close()
2024-05-03 13:05:28 -04:00
sco.c
Bluetooth: SCO: fix race conditions in sco_sock_connect()
2026-04-01 16:43:53 -04:00
selftest.c
crypto: ecdh - move curve_id of ECDH from the key to algorithm name
2021-03-13 00:04:03 +11:00
selftest.h
Bluetooth: Add support for self testing framework
2014-12-30 08:53:55 +02:00
smp.c
Bluetooth: SMP: make SM/PER/KDU/BI-04-C happy
2026-03-12 15:26:30 -04:00
smp.h
Bluetooth: SMP: If an unallowed command is received consider it a failure
2025-07-16 15:33:30 -04:00