From nobody Mon May 25 06:41:10 2026 Received: from mail-wr1-f49.google.com (mail-wr1-f49.google.com [209.85.221.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 53C873218BA for ; Sun, 17 May 2026 14:55:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.49 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779029722; cv=none; b=FOXE6hKrfYFiuUVpSTkOi6rhnBjbw8Ox7JDrMD2f9HhZwSl4nhQV8nv5LxtUYV852W6qYm8FrhcoFUBdS4LLA8M/PlMN27Ue5DV1wZPUVHAPO6zFooKgGA3GygzaWCDIykzLrLYkzqrZp6UIX3AWprKyCULNt6RJi2JZeZOLxNo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779029722; c=relaxed/simple; bh=i5BLItaK7oOYPrFOtKeP2AkbysLIvxhDNelq+76nRF8=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=fA0G5sWV5Ld2zu4MSlaWwzhe/Ulk0NiKiXuq9w/bIfoz8rNCot6W7xhbixCQOhRsm6zfj2a9DXsi1Y355wnUqevSGYMLMnPvBI65OdNRMDjPJ2b4UF/RnfRrYGq0X3y8Pa7okbWxMrY4MEXnVHfWaDpahsTKtYyH/SPwIfOFwCM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X6cISo2p; arc=none smtp.client-ip=209.85.221.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X6cISo2p" Received: by mail-wr1-f49.google.com with SMTP id ffacd0b85a97d-44985f4ab0fso652906f8f.0 for ; Sun, 17 May 2026 07:55:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779029719; x=1779634519; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Z/l4dCK28Qtpju1OTSn9skmQqRPcoauwVCiaFA7ILGc=; b=X6cISo2pQ4YeGP/UrHyE5bt0efVaZfNSN0nAoEtFWPv/hqIzCkqfQKwTX2h6541PLF T4d9PuDBo0Ke55yFxVcF0o3K2Dd7NCRnGZP5h2KyRSLHPsTDmxrnpArjWT6s3aQ+fQwR uZEW283QuK6In4qDPAThr3SKwz2y1JW2m3ZJ9FhJTGvRRIAzUK3mkwxDyJ+b+Wohnre8 v7J+3KT38uAzXJEiXCDqVodT0V1VxsMPQhO41/CD0QRkw5ViOfaYCDkIBPgWsGhegl7N +zdC7r0BxaLXcR7uXWcm5dQLEJHikmBYysKth98vLbcei0Niob32kuG3ASxrV1uA2G3o j9eA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779029719; x=1779634519; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Z/l4dCK28Qtpju1OTSn9skmQqRPcoauwVCiaFA7ILGc=; b=rWJjD2MOrVWQ6mTEKbzvF4QgUXPh/5+a6LLf7k6HyzueqGpo16wHvwOyWu3BbjrDvx qTjlOOH8tCfO7JK30IbvQXHRdNA9RDkdUDXyQqtvjbgDlE8Rt9QiicDfyH7oawC0P/lc 7io8hYifg51znM2BngSXVWnPc37CC6oOlVHhK1NgatXCs+y+pYdmCF/0WHf8mz0/Hp0I zlRwinhMM9zITSBl7yQNdeH+wkN2KUD4gw5F4oQbZ1cPUE95fB1kWyfUTIiko8Rm3s/q QVyXhbn5LCU5b+A2bHcBHfXE1PlV/oIlNJbIXlcQlmRlxlmWZwBf+UP7OA5ebA9fOg9c k23w== X-Forwarded-Encrypted: i=1; AFNElJ9RSroNJbUMnZIx9+zJKE7t2hSENsl+2dKarTqCvbUKb3l3R1TBtLxqNLigFAeMCWHZ/rd3012azJRPKO8=@vger.kernel.org X-Gm-Message-State: AOJu0YyqAndZs1U+M2RoNCgwg7UZfpR2gRLlEhxx0NlMibklXEaycyDx WQWT9nVG4+eahHGvGwv8LdByPFEUj03ujPfFZEo33vKveRXVokj3rdbj X-Gm-Gg: Acq92OHblqQhhV5YlQjGawVxbRSUQQ5xgzt4ARwMhgcHX9lg9WqLTFsD9EmJSHo22hR SBk1T82YwNqjHnhNfMZ5T1cgxf3elzOjsw+x21Fhh89sdGfvM/LaE418LIWfCX3H3RTHoccNW00 +2HBcGtbggnty2xoaIO5loH49eYtBNcbUM3LLaDmmLxPOLldRZ+to+FuCx7AsqtBXScir+fHFrY oKPtl4XBdX4/RoCE7iOjdVJmtDCODlVAvfYUDbx/aDmLAIA+fOQU423s7VK+S08MopWrYCdh1H+ GTxBjpQ14DzA3AyMQkveaTnq9ZoVQmwEsqmPjuKVaApQ+vg+Ym7zRcyJFdtByx/qQU+OJO/PItL cX5AdBWbiDl99jVxU2avIPiN/Q7dgA2lIdum0TkiZ4xF8HKW6trZLDVNqvu2++t5r/IH2wFVRM4 hxHIosdXJgd0gqvrH0TzIN5/Hn/P9uBC3V+QKooLrF4D/T0WOUvrkxCJg4wR69EeK1ALPzJrrk+ g== X-Received: by 2002:a05:600c:8901:b0:487:1108:48b8 with SMTP id 5b1f17b1804b1-48fe60e367fmr150620875e9.2.1779029718624; Sun, 17 May 2026 07:55:18 -0700 (PDT) Received: from node ([202.47.63.86]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48fead1c364sm62260885e9.8.2026.05.17.07.55.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 May 2026 07:55:18 -0700 (PDT) From: Muhammad Bilal To: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Cc: marcel@holtmann.org, luiz.dentz@gmail.com, johan.hedberg@gmail.com, stable@vger.kernel.org, Muhammad Bilal Subject: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify Date: Sun, 17 May 2026 10:54:17 -0400 Message-ID: <20260517145417.31910-1-meatuni001@gmail.com> X-Mailer: git-send-email 2.54.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" smp_cmd_keypress_notify() accesses the received payload as struct smp_cmd_keypress_notify without verifying that skb->len contains enough data. smp_sig_channel() removes the opcode byte before dispatching to command handlers, so a SMP_CMD_KEYPRESS_NOTIFY packet without a payload leaves skb->len equal to zero on entry to the handler, causing a 1-byte out-of-bounds read from the heap. Add a length check before accessing the payload and return SMP_INVALID_PARAMS when the packet is too short, matching the pattern used by other SMP command handlers. Fixes: 1408bb6efb04 ("Bluetooth: Add dummy handler for LE SC keypress notif= ication") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal --- net/bluetooth/smp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 98f1da4f5..4c98e2a3a 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -2932,6 +2932,9 @@ static int smp_cmd_keypress_notify(struct l2cap_conn = *conn, { struct smp_cmd_keypress_notify *kp =3D (void *) skb->data; =20 + if (skb->len < sizeof(*kp)) + return SMP_INVALID_PARAMS; + bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value); =20 return 0; --=20 2.54.0