From nobody Thu Apr 2 14:10:30 2026 Received: from mail-pj1-f49.google.com (mail-pj1-f49.google.com [209.85.216.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F1F7F56472 for ; Sat, 28 Mar 2026 08:47:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774687631; cv=none; b=hIt42foTxxgbwQ/JGSV1qMDkaCZAG8cefhzg45yP1//EZhb4b35rXPA7lHIGloYPBwzDUriSlziSSFR80Tp2j1I16ShUh7Y0j9xLCvkMU+HFAe/lhrblBUOzWV4onL4fy3fa6+QnjTHOT4skc18w1eTwc9690Hb7QxV0qF54CHU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774687631; c=relaxed/simple; bh=vu6GwH8lg+WlvtYQjpdlmKqSSH1CL/aqOwm2YVUYZ0E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KxkfDq6glsjLT9RJDinVTkfwMRxLqhf49SedVS0s+YuhAlhsGdlazVQ7J+S6QGjRdFYm8kogqbJIAhzlNc26+sACUV8W/Qugb+7lozMlVeB4WovEBcRggHScx8buWXvLyslMc6QxqPHSn1lPtH84mEySb2cVvLoe1iT6LukRAcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NGrO0oqT; arc=none smtp.client-ip=209.85.216.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NGrO0oqT" Received: by mail-pj1-f49.google.com with SMTP id 98e67ed59e1d1-35d99031e4eso103856a91.1 for ; Sat, 28 Mar 2026 01:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774687629; x=1775292429; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Ew9NpfGRmawZ3hZMjmWZSIlHYOBunetFwERImQyBBJE=; b=NGrO0oqTQZbgWyOF+OQLB5c1N4VrKhfqd2rsfImwoKZ0uDkcE4Qn/r2zadTHoxfZui v9m3rk1R0F+NO2aA+EumtXLCPevLoHpDyBNydgaHfEqs2G2x342xQ4739cwT7AjCU+Py CsvM2EX3nw6R4pTSdKMefS5ztVgxLrX+iwdSo5SCF+ovJGsVbjorXn0XVQTspoX0mR1/ OrD2WSr0i/JydD+MRx+aQprE+nQfpZJ26wFOwEwgoSrrDg4U0znPTG9+4eMrZPKHiHO2 Tr/Ks2bGD5lUiSI56BlBr0/WfzIjZLBGNXeGCYhpVeU2dBrQK1WBzsg/U4iO0C+D31HL n7Vg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774687629; x=1775292429; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=Ew9NpfGRmawZ3hZMjmWZSIlHYOBunetFwERImQyBBJE=; b=Bg/0GeCr6gmZUXoIzRyy253ueR+41SOChBWBMx2xO8NqD/5wxvkq8MbrijeznQ+MMu Gx25qemw29I9xnA0mLjuD8qZuMJg9gBvZVNpgK3H4hs0b4qgGnTNlxvjaDgcvFmNP8hj /7QF1RkfC1dTU3z63lRuMW1ZtAcvX8AC+Lm7oBI4/8JcbRa7DQJZI+tlGMgsSDLSOuNH 0yeJHw33Gl9OyCCI7YqJ/AOD/v/SW1dgfB1urrYzVgxTqE+cmwfKJSOOJZrCanaEeiNG HEHixgYm2svC06+Eo7iePMae2i1J2a42VkPx42lgDEccqGujwpD6D8ahOrylaC0oSNbb mjmA== X-Forwarded-Encrypted: i=1; AJvYcCWFCgVPILxsPa5N8RIqNaIOd2WjMbHGZqEFwbllwaiES3Bp9CxsUfixu2Z5B7pZL3JDWr5Fdn7Ju+Bnl8I=@vger.kernel.org X-Gm-Message-State: AOJu0Yze/RnzSSIU1K9xRnHIQ4ut4vDwa50DmLv4bExHi3ZCnPcwjNiI LHrJ56CArpWJNYVFlAHixKWH4qcLghkGx9LLZVjHxT0eVDLYcRJYKb+T X-Gm-Gg: ATEYQzzNDNUYh/gauD2v8g+yFXu9lTcFAMoGn9Z1Tp59OwFqqQlFBOTVAZCo0sZwgIV wXTsDBxF3ZEzhWpq+yHjmlA6Yl5imKK+uK6emuwAJ5H15qjf/L8uqdy31lYUTjgxilKAXyzwmuh NjP8NWq/k7AY8IBV0zRtQ6XaSPz5qY8rROqGo3kKaezeIiax8ezxCc3wJW0MeBrWrbkdF6TiG31 Bn4Eg6cw1W56Xwk8L48TR0ekN+47vajF8lRtEtfqmt9A3b84yHew8p5BqnEgZTB7Wdv5E7R4lsn HejYTgLSluBsgQ3FBGHnXD1Cy2u8+6qBVnYvCOHZhIPcMziJsDiS/CBwOk9rF4ZfF1sTlI9ll+d zSzLoaBjYZGM50ls5yCtAepTTr4roaWPnNJhOLfjKVE8Fvw7QRdWJdh/M0yvS6v5zmKP3eAHR8p Gii9WG+ATVNCVyvcqeD8f4lr2pL4Wzi3Xj+PhF2tU1RADNYhq/OqMAvcuN6kEncmZI X-Received: by 2002:a17:90b:3f4f:b0:35b:9719:b7ac with SMTP id 98e67ed59e1d1-35c30117749mr5103241a91.27.1774687629151; Sat, 28 Mar 2026 01:47:09 -0700 (PDT) Received: from LAPTOP-KU1E7KI5.fudan.edu.cn ([202.120.235.189]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-35d950d9b12sm1689510a91.17.2026.03.28.01.47.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Mar 2026 01:47:08 -0700 (PDT) From: Keenan Dong To: linux-bluetooth@vger.kernel.org Cc: marcel@holtmann.org, luiz.dentz@gmail.com, linux-kernel@vger.kernel.org, Keenan Dong Subject: [PATCH] Bluetooth: MGMT: require exact mesh send payload length Date: Sat, 28 Mar 2026 16:46:48 +0800 Message-ID: <20260328084648.51158-2-keenanat2000@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260328084648.51158-1-keenanat2000@gmail.com> References: <20260328084648.51158-1-keenanat2000@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" mesh_send() only checks that the total command length falls within a broad range. A malformed MGMT_OP_MESH_SEND request can therefore claim a larger adv_data_len than the bytes actually present, and the async mesh send path later copies past the end of the stored command buffer. Require the command length to exactly match the variable advertising payload size before queueing the request. Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh") Reported-by: Keenan Dong Signed-off-by: Keenan Dong --- net/bluetooth/mgmt.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c index e5f9287fb..aad0da033 100644 --- a/net/bluetooth/mgmt.c +++ b/net/bluetooth/mgmt.c @@ -2478,6 +2478,7 @@ static int mesh_send(struct sock *sk, struct hci_dev = *hdev, void *data, u16 len) struct mgmt_mesh_tx *mesh_tx; struct mgmt_cp_mesh_send *send =3D data; struct mgmt_rp_mesh_read_features rp; + u16 expected_len; bool sending; int err =3D 0; =20 @@ -2491,6 +2492,11 @@ static int mesh_send(struct sock *sk, struct hci_dev= *hdev, void *data, u16 len) return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, MGMT_STATUS_REJECTED); =20 + expected_len =3D struct_size(send, adv_data, send->adv_data_len); + if (expected_len !=3D len) + return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND, + MGMT_STATUS_INVALID_PARAMS); + hci_dev_lock(hdev); =20 memset(&rp, 0, sizeof(rp)); --=20 2.43.0