Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp251474pxu; Thu, 22 Oct 2020 22:45:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw02A3A2UPeChoPQhS05+XiRESu91vikiA8VZTrd7O/3of4pvdJvfVF/8I/xnFBp6AklTBP X-Received: by 2002:a17:906:3150:: with SMTP id e16mr395583eje.266.1603431903585; Thu, 22 Oct 2020 22:45:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603431903; cv=none; d=google.com; s=arc-20160816; b=fM1ZUD9cdaUWy9wLITtgZiZlEAv3Ks61bmQTBlL9NKtN3IR7ELbrXi5cORF2eGJffa 6oO9mDTu4xDO6LfCSJNOyvXg7B6q/xbFlGbEjwGKCbpkqXTgXQYd9Yi4W9AaMioyJzvK cQxWkTpXNRqjlu6WMCoRzQaMQiymNBE3Hsc77RQVn0vmYp4o1F9yozCMWxIjLawy3IX9 PKjJ3MITQhYAiLDvHSFPMi+K4nkT3HVslDzdrPwk+rebDqbKxb4t0DPqhtgqBOd070YN I7WwvgA38ePtlxfbXX2zryRHqL6dUh2bTdRzL/wvFfoZF1tYCyBLWRf+Rx05PmSS3TQ8 oefw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date :dkim-signature; bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=; b=xu6nmRtezZqfFJpAL3HnLQ0i5Gok5oSFobbRVPlRg5EnnKLd1HVEmkJXwaa3goWOzg xScEg8PTd2jzkb5Ys2vrcelkb+qzoPtJg/RqAU/LivgJ0M6CahcMCHVdZvYC9W7TKscA a0vyox0fsWwuGLx0n7U1dKZCsndArYbd78FDsPEZ6nA4GZyxazc0+B87lZg/wcWaR4uw OJGQInHZf099bQ15gy9TCafNFRrpkh+Jx0Sh2veMJ1pMJb/5tdspmBbXhiFvHPnI9Jqu 7xeTQQTkziN2Uy9fGLrb7SRvOOL5F+2a5tX/xukIGoLG7IsxJlAKN75XCzAN0rAnbTvW gAhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=idT9cYTE; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a1si145917edb.335.2020.10.22.22.44.25; Thu, 22 Oct 2020 22:45:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=idT9cYTE; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2896992AbgJVU4O (ORCPT + 99 others); Thu, 22 Oct 2020 16:56:14 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2896682AbgJVUzy (ORCPT ); Thu, 22 Oct 2020 16:55:54 -0400 Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 194D3C0613CE for ; Thu, 22 Oct 2020 13:55:54 -0700 (PDT) Received: by mail-lj1-x243.google.com with SMTP id m16so3436739ljo.6 for ; Thu, 22 Oct 2020 13:55:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to; bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=; b=idT9cYTEFm1DK1SUOnCS0N+lYwK+G+69GUMe/tjese0xEbSGZB2W9sriYvaUL4TJrd oxOR23pZToWQh70Yn0yvSlZRZreM9Q+I+SC8Ap9Ku7BDCx0ZGN441pm0fPvTNvCIscjD UPHLXI6AajQPR1giYWRT2M9Pf4MN10nGcBdD+Y57QaKHrbsgqjNHWCNV4imLL3xaa/53 tCi3Gs0VPiQN8U5qb3szTlKTJnVs1LudeXlIgLYjxRaqEZEjhyBXttoeq5yCeklPMO1+ tIj7Dfa3lD14xQUzsntieExGi6jwQEIIQOKWF4m/lF43JmU41hZYFYDIaULc0u38X31T 5a5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to; bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=; b=nHwKAwj3FNbMi233s5VUMhri1cp1QOCE4X1tj6DFrImXC/9jrIYzQGRu/TVsFRk0nY G1jLFz1OQl//xsEqtBOEgNRu3WnJliYGcuAyLGxIyde46TVuPZDQfKqq5b3uAil0nY/1 8njBNCGOrD3gKLsPm5M/s273xc2wz0CS3dYyMG2JQXIswmV8//oQJWo+oyaMzXw+FNOP vxLCizK4dwaKolRpCHogTn2EzgDTdYCdr4AuUbRh6cQ+lTWU4V+aXcxjL8g0o6jSsCcL 9fZ1OWAj3LnsGrooABc48bvnU6BB7fosDyW+pGfgkoGNLhmu6IfS6e/b9Z1pehJYyWh6 VUEQ== X-Gm-Message-State: AOAM530jK5Oum2dcQh67KWwqg+KkrbZ2fySWYLwPuWOd8OL1rU3O5K0X RQmLmFQkJOMp36s3ObhOl/0= X-Received: by 2002:a05:651c:203:: with SMTP id y3mr1582906ljn.457.1603400152381; Thu, 22 Oct 2020 13:55:52 -0700 (PDT) Received: from localhost (91-154-113-38.elisa-laajakaista.fi. [91.154.113.38]) by smtp.gmail.com with ESMTPSA id r5sm432297ljm.77.2020.10.22.13.55.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Oct 2020 13:55:51 -0700 (PDT) Date: Thu, 22 Oct 2020 23:55:50 +0300 From: Johan Hedberg To: Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org Subject: Re: [PATCH v2 1/2] Bluetooth: Fix not checking advertisement bondaries Message-ID: <20201022205550.GA63907@jhedberg-mac01.home> Mail-Followup-To: Luiz Augusto von Dentz , linux-bluetooth@vger.kernel.org References: <20201019172529.1179996-1-luiz.dentz@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20201019172529.1179996-1-luiz.dentz@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Hi Luiz, On Mon, Oct 19, 2020, Luiz Augusto von Dentz wrote: > When receiving advertisements check if the length is actually within > the skb, this also make use of skb_pull to advance on the skb->data > instead of a custom ptr that way skb->len shall always indicates how > much data is remaining and can be used to perform checks if there is > enough data to parse. > > Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report") > Signed-off-by: Luiz Augusto von Dentz > --- > v2: Fixes rssi parsing. > > net/bluetooth/hci_event.c | 73 ++++++++++++++++++++++++++++++--------- > 1 file changed, 56 insertions(+), 17 deletions(-) Could we get the matching HCI logs for these corrupted events? It'd be good to include that in the commit message. Unless I misunderstood something, from what I can see from the changes the fields you are adding checks for are generated by the Bluetooth controller, i.e. only a buggy or broken Bluetooth controller would generate such events (meaning, this shouldn't be generally remotely exploitable), so it'd be good to know exactly which controllers generate such broken events. Johan