From: Luiz Augusto von Dentz <[email protected]>
The following memory corruption can happen since iso_pinfo.base size
did not account for its headers (4 bytes):
net/bluetooth/eir.c
76 memcpy(&eir[eir_len], data, data_len);
^^^^^^^ ^^^^^^^^
77 eir_len += data_len;
78
79 return eir_len;
80 }
The "eir" buffer has 252 bytes and data_len is 252 but we do a memcpy()
to &eir[4] so this can corrupt 4 bytes beyond the end of the buffer.
Fixes: f764a6c2c1e4: "Bluetooth: ISO: Add broadcast support"
Signed-off-by: Luiz Augusto von Dentz <[email protected]>
Reported-by: Dan Carpenter <[email protected]>
---
net/bluetooth/iso.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index dded22cde0d1..70c2dd30cb13 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -44,6 +44,9 @@ static void iso_sock_kill(struct sock *sk);
/* ----- ISO socket info ----- */
#define iso_pi(sk) ((struct iso_pinfo *)sk)
+#define EIR_SERVICE_DATA_LENGTH 4
+#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH)
+
struct iso_pinfo {
struct bt_sock bt;
bdaddr_t src;
@@ -57,7 +60,7 @@ struct iso_pinfo {
__u32 flags;
struct bt_iso_qos qos;
__u8 base_len;
- __u8 base[HCI_MAX_PER_AD_LENGTH];
+ __u8 base[BASE_MAX_LENGTH];
struct iso_conn *conn;
};
--
2.37.1
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=664152
---Test result---
Test Summary:
CheckPatch PASS 0.86 seconds
GitLint PASS 0.45 seconds
SubjectPrefix PASS 0.29 seconds
BuildKernel PASS 43.03 seconds
BuildKernel32 PASS 38.11 seconds
Incremental Build with patchesPASS 52.80 seconds
TestRunner: Setup PASS 632.61 seconds
TestRunner: l2cap-tester PASS 21.11 seconds
TestRunner: bnep-tester PASS 8.31 seconds
TestRunner: mgmt-tester PASS 128.66 seconds
TestRunner: rfcomm-tester PASS 12.15 seconds
TestRunner: sco-tester PASS 11.77 seconds
TestRunner: smp-tester PASS 11.62 seconds
TestRunner: userchan-tester PASS 8.31 seconds
---
Regards,
Linux Bluetooth
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <[email protected]>:
On Fri, 29 Jul 2022 11:10:41 -0700 you wrote:
> From: Luiz Augusto von Dentz <[email protected]>
>
> The following memory corruption can happen since iso_pinfo.base size
> did not account for its headers (4 bytes):
>
> net/bluetooth/eir.c
> 76 memcpy(&eir[eir_len], data, data_len);
> ^^^^^^^ ^^^^^^^^
> 77 eir_len += data_len;
> 78
> 79 return eir_len;
> 80 }
>
> [...]
Here is the summary with links:
- Bluetooth: ISO: Fix memory corruption
https://git.kernel.org/bluetooth/bluetooth-next/c/c5d36b8a7dbd
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html