From nobody Thu Apr 2 14:07:57 2026 Received: from mail-pf1-f176.google.com (mail-pf1-f176.google.com [209.85.210.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 34DCF33DEFE for ; Sat, 28 Mar 2026 20:09:58 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.176 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774728599; cv=none; b=t3GqgHgUgtsAiP/QkP74JGf6LmIBYNd61VnfInAsU93LbBRPIgc5NaOlkh/QCPrp2ArPMcRRdXKG3teonK3Q36ZxfnSTCan9W8F7k9Evlpbt5EnKqXHH0lJ5aZhyaKoliXFIF4k2Ab0IuvUXFCrS7Nf9Z6cGu564/23UELx4Yaw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774728599; c=relaxed/simple; bh=GxviuNMaKLLkHWLE6NwvP8CHcnvy5HbE2KoMTrTrxeQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=OvwRfRfEMJCBZ/uuzul0ef2VA+sx5Xeyon7+PhYi/NoehshztUIamWIbWAps7NLhDECMPaqoGZf855FUgfRIh57j4BJqZ6jeW3vR17aUBkpCHpjJM18SS4N9nfMs0U6HiVFaSjEyU6WYNzCYwQeevbdyeDiL/BnHoV5iST7/dxU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=hnTRzqQP; arc=none smtp.client-ip=209.85.210.176 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="hnTRzqQP" Received: by mail-pf1-f176.google.com with SMTP id d2e1a72fcca58-82735a41920so1150368b3a.2 for ; Sat, 28 Mar 2026 13:09:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1774728597; x=1775333397; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=7ne6ohxmFK8CKmixyfoQQWL+dvvk4ukAUm4iPHOxaK4=; b=hnTRzqQPvdz94ZiFhhEetc5ordP88h1yuT3HziiIlX+vk3gUzaGZclYNZsp3ccO9Wy CNeqLInrS3hSiZbLCNbQIpUoJq0xGhbBFG+oQRwgfwWz8fxkt1O3A+uKHCbECCpLmmO2 d/SLGG4uhAQcNByNSZ4l1/fCsVBnnB/64ZREwx0byFZaD/TlSRqyGstwF7Zz5Jqjk/5m cvWr42xk9XLB22F6oAr/6Is5CWN+dhw1fDduPtETbI46oPThUNTCTcZhoKHfPyIGMYmD yMrxmG0h3nMxni45lzUtCM3lvUW7rTPcCYUSoBeanunWXprtBVD5CNGjFx2A7k93LfX0 R9Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774728597; x=1775333397; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=7ne6ohxmFK8CKmixyfoQQWL+dvvk4ukAUm4iPHOxaK4=; b=lKO+SpXlPx6NdUC8Q38ooV66BSQv0kUScPW/5aMRKwaS+5nooV1NGF/ex+CnmtB+Uv 7BtQoXaydt/rVPdpW19C6w86DJ7eHWr90LoTx7SaNdr7nZh3WdpPZH3pS8N5b6hjcETP 7h++SEzyJA3SOQSPB+noqAx/oenr8cV4fdaUKI7Rj8a/6tGzQrhm3v55WEVdbN/suNTI O2Q6ak8IEGp8XV8U60cvftCvACH6Gv14F7+AqikstHJopsIlNMVs7Gpy07vnJQdNVesE Iy7XavXBy+5mbIJg+x/xTiCnkUzSEKi/3Ddbq/Qg9hA7PCWHHOpHJtPlb/423UwXkgo6 wpmw== X-Forwarded-Encrypted: i=1; AJvYcCUXQl0lv/unQqpiUJPk+a7IQdiAmjBppJQA3f66c6GUNRcGg+rGNtNjOZhGZzirxBBlxasIzpvwnKcOQpk=@vger.kernel.org X-Gm-Message-State: AOJu0Yw/gnCTUsI2J1sQ9O3QxeulkHTZ55Yd0M4yQWXZA0pBe2HvZlbI gUMGMYO9h/l9DOz+NlAXKmsbuaA/uw2nkwGNx7lTOUBgloApp5pIxbzZ X-Gm-Gg: ATEYQzzVvCzn2Jc4m6S8Eu3/QjBpfl5/397QgTQS8rIHnwjTAM0Yf3cfuXVwMfNRnV2 YiV4mEa3x5n3soRi1cOLKVPwBAK1oIwuQGiF8TyC5HIH7dYED3sYRAg6ebQWjo6fOXajoUmqS2h tZUHHjnokw9xNjBv59LbAIXOJdOgBa0xDqY+09Zuh/UKejR0r03MoKlq3W32Gcmy8oZET+iPkwv b4Vtnb+jtiT4Mz3wJW0CYVucH056RVFZQIvbvidN6Tqqr984p5ECIsuVpejN9JAbEKREtgibQBS VLZ+oLxFqbDyx0ifkUBYmg7oUmlTzpWZhm9uOuRaLag6Hok/0seLPh7r+CJ1AAzUB5lNoYVu8ui BqbNutiXbCESvj5LkqApuiGIaFKRiLt88+91JInBqgOHMlNU/UNbutnK2b7J8VzVtrwRldKG1Ut XrbZhCdDffLRliCi7nOQ== X-Received: by 2002:a05:6a00:1a89:b0:81f:be3c:9c9e with SMTP id d2e1a72fcca58-82c9600659cmr6163581b3a.33.1774728597308; Sat, 28 Mar 2026 13:09:57 -0700 (PDT) Received: from kfuzz ([202.120.234.33]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82caa8be173sm2329605b3a.55.2026.03.28.13.09.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Mar 2026 13:09:56 -0700 (PDT) From: Kangzheng Gu To: gregkh@linuxfoundation.org, marcel@holtmann.org, luiz.dentz@gmail.com, luiz.von.dentz@intel.com, xiaoguai0992@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] Bluetooth: ISO: validate ISO_END fragments Date: Sat, 28 Mar 2026 20:09:38 +0000 Message-ID: <20260328200938.140528-1-xiaoguai0992@gmail.com> X-Mailer: git-send-email 2.50.1 In-Reply-To: References: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A malformed ISO_END fragment can trigger a NULL pointer dereference due to missing validation before processing. An oversized end fragment should also be rejected. Add the same validation for ISO_END as for ISO_CONT, and reset the in-progress reassembly state when malformed input is detected. Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type") Cc: stable@vger.kernel.org Signed-off-by: Kangzheng Gu --- net/bluetooth/iso.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index be145e2736b7..8707f3c4b103 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -2587,6 +2587,27 @@ int iso_recv(struct hci_dev *hdev, u16 handle, struc= t sk_buff *skb, u16 flags) break; =20 case ISO_END: + BT_DBG("End: frag len %d (expecting %d)", skb->len, + conn->rx_len); + + if (!conn->rx_len) { + BT_ERR("Unexpected end frame (len %d)", + skb->len); + kfree_skb(conn->rx_skb); + conn->rx_skb =3D NULL; + conn->rx_len =3D 0; + goto drop; + } + + if (skb->len > conn->rx_len) { + BT_ERR("Fragment is too long (len %d, expected %d)", + skb->len, conn->rx_len); + kfree_skb(conn->rx_skb); + conn->rx_skb =3D NULL; + conn->rx_len =3D 0; + goto drop; + } + skb_copy_from_linear_data(skb, skb_put(conn->rx_skb, skb->len), skb->len); conn->rx_len -=3D skb->len; --=20 2.50.1