Hi Luiz,
On Mon, Oct 19, 2020, Luiz Augusto von Dentz wrote:
> When receiving advertisements check if the length is actually within
> the skb, this also make use of skb_pull to advance on the skb->data
> instead of a custom ptr that way skb->len shall always indicates how
> much data is remaining and can be used to perform checks if there is
> enough data to parse.
>
> Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> ---
> v2: Fixes rssi parsing.
>
> net/bluetooth/hci_event.c | 73 ++++++++++++++++++++++++++++++---------
> 1 file changed, 56 insertions(+), 17 deletions(-)
Could we get the matching HCI logs for these corrupted events? It'd be
good to include that in the commit message. Unless I misunderstood
something, from what I can see from the changes the fields you are
adding checks for are generated by the Bluetooth controller, i.e. only a
buggy or broken Bluetooth controller would generate such events
(meaning, this shouldn't be generally remotely exploitable), so it'd be
good to know exactly which controllers generate such broken events.
Johan
