Re: [PATCH v2 1/2] Bluetooth: Fix not checking advertisement bondaries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Luiz,

On Mon, Oct 19, 2020, Luiz Augusto von Dentz wrote:
> When receiving advertisements check if the length is actually within
> the skb, this also make use of skb_pull to advance on the skb->data
> instead of a custom ptr that way skb->len shall always indicates how
> much data is remaining and can be used to perform checks if there is
> enough data to parse.
> 
> Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> ---
> v2: Fixes rssi parsing.
> 
>  net/bluetooth/hci_event.c | 73 ++++++++++++++++++++++++++++++---------
>  1 file changed, 56 insertions(+), 17 deletions(-)

Could we get the matching HCI logs for these corrupted events? It'd be
good to include that in the commit message. Unless I misunderstood
something, from what I can see from the changes the fields you are
adding checks for are generated by the Bluetooth controller, i.e. only a
buggy or broken Bluetooth controller would generate such events
(meaning, this shouldn't be generally remotely exploitable), so it'd be
good to know exactly which controllers generate such broken events.

Johan



[Index of Archives]     [Bluez Devel]     [Linux Wireless Networking]     [Linux Wireless Personal Area Networking]     [Linux ATH6KL]     [Linux USB Devel]     [Linux Media Drivers]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux