Skip to content

[PW_SID:1100657] [v1,1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt#240

Open
BluezTestBot wants to merge 1 commit into
workflowfrom
1100657
Open

[PW_SID:1100657] [v1,1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt#240
BluezTestBot wants to merge 1 commit into
workflowfrom
1100657

Conversation

@BluezTestBot
Copy link
Copy Markdown

@BluezTestBot BluezTestBot commented May 26, 2026

l2cap_get_conf_opt() reads opt->val via a switch on opt->len (1, 2,
or 4 bytes). opt->len is a remote-controlled u8. All three callers
loop on (len >= L2CAP_CONF_OPT_SIZE), so the loop body executes with
as few as 2 bytes remaining. A packet ending with opt->len=4 and
only 2 bytes left causes get_unaligned_le32(opt->val) to read 4 bytes
past the buffer before the caller can act on the return value.

Commit 7c9cbd0 ("Bluetooth: Verify that l2cap_get_conf_opt
provides large enough buffer") added a post-call len < 0 guard in
each caller, but the over-read fires inside l2cap_get_conf_opt()
before that guard is reached.

Add a buflen parameter and validate L2CAP_CONF_OPT_SIZE + opt->len
<= buflen before any access to opt->val. Return -EINVAL on
violation. Update all three callers to capture the return value and
break on negative. With the bounds check ensuring the option fits
within the remaining buffer, the post-call len < 0 check is no
longer needed and is removed.

Fixes: 7c9cbd0 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal meatuni001@gmail.com

net/bluetooth/l2cap_core.c | 31 ++++++++++++++++++++++++-------
1 file changed, 24 insertions(+), 7 deletions(-)

@Vudentz
Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt
c3cedcc 
l2cap_get_conf_opt() reads opt->val via a switch on opt->len (1, 2,
or 4 bytes).  opt->len is a remote-controlled u8.  All three callers
loop on (len >= L2CAP_CONF_OPT_SIZE), so the loop body executes with
as few as 2 bytes remaining.  A packet ending with opt->len=4 and
only 2 bytes left causes get_unaligned_le32(opt->val) to read 4 bytes
past the buffer before the caller can act on the return value.

Commit 7c9cbd0 ("Bluetooth: Verify that l2cap_get_conf_opt
provides large enough buffer") added a post-call len < 0 guard in
each caller, but the over-read fires inside l2cap_get_conf_opt()
before that guard is reached.

Add a buflen parameter and validate L2CAP_CONF_OPT_SIZE + opt->len
<= buflen before any access to opt->val.  Return -EINVAL on
violation.  Update all three callers to capture the return value and
break on negative.  With the bounds check ensuring the option fits
within the remaining buffer, the post-call len < 0 check is no
longer needed and is removed.

Fixes: 7c9cbd0 ("Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.70 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.11 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.12 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

GitLint
Desc: Run gitlint
Duration: 0.29 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.11 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 26.93 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.76 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 28.95 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 26.00 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 572.85 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 59.10 seconds
Result: PASS

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 26, 2026

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 25.01 seconds
Result: PASS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

area:l2cap

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BluezTestBot