Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp251474pxu;
        Thu, 22 Oct 2020 22:45:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJw02A3A2UPeChoPQhS05+XiRESu91vikiA8VZTrd7O/3of4pvdJvfVF/8I/xnFBp6AklTBP
X-Received: by 2002:a17:906:3150:: with SMTP id e16mr395583eje.266.1603431903585;
        Thu, 22 Oct 2020 22:45:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1603431903; cv=none;
        d=google.com; s=arc-20160816;
        b=fM1ZUD9cdaUWy9wLITtgZiZlEAv3Ks61bmQTBlL9NKtN3IR7ELbrXi5cORF2eGJffa
         6oO9mDTu4xDO6LfCSJNOyvXg7B6q/xbFlGbEjwGKCbpkqXTgXQYd9Yi4W9AaMioyJzvK
         cQxWkTpXNRqjlu6WMCoRzQaMQiymNBE3Hsc77RQVn0vmYp4o1F9yozCMWxIjLawy3IX9
         PKjJ3MITQhYAiLDvHSFPMi+K4nkT3HVslDzdrPwk+rebDqbKxb4t0DPqhtgqBOd070YN
         I7WwvgA38ePtlxfbXX2zryRHqL6dUh2bTdRzL/wvFfoZF1tYCyBLWRf+Rx05PmSS3TQ8
         oefw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:mail-followup-to:message-id:subject:cc:to:from:date
         :dkim-signature;
        bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=;
        b=xu6nmRtezZqfFJpAL3HnLQ0i5Gok5oSFobbRVPlRg5EnnKLd1HVEmkJXwaa3goWOzg
         xScEg8PTd2jzkb5Ys2vrcelkb+qzoPtJg/RqAU/LivgJ0M6CahcMCHVdZvYC9W7TKscA
         a0vyox0fsWwuGLx0n7U1dKZCsndArYbd78FDsPEZ6nA4GZyxazc0+B87lZg/wcWaR4uw
         OJGQInHZf099bQ15gy9TCafNFRrpkh+Jx0Sh2veMJ1pMJb/5tdspmBbXhiFvHPnI9Jqu
         7xeTQQTkziN2Uy9fGLrb7SRvOOL5F+2a5tX/xukIGoLG7IsxJlAKN75XCzAN0rAnbTvW
         gAhw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=idT9cYTE;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-bluetooth-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a1si145917edb.335.2020.10.22.22.44.25;
        Thu, 22 Oct 2020 22:45:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=idT9cYTE;
       spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2896992AbgJVU4O (ORCPT <rfc822;vk6fun@gmail.com> + 99 others);
        Thu, 22 Oct 2020 16:56:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36880 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2896682AbgJVUzy (ORCPT
        <rfc822;linux-bluetooth@vger.kernel.org>);
        Thu, 22 Oct 2020 16:55:54 -0400
Received: from mail-lj1-x243.google.com (mail-lj1-x243.google.com [IPv6:2a00:1450:4864:20::243])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 194D3C0613CE
        for <linux-bluetooth@vger.kernel.org>; Thu, 22 Oct 2020 13:55:54 -0700 (PDT)
Received: by mail-lj1-x243.google.com with SMTP id m16so3436739ljo.6
        for <linux-bluetooth@vger.kernel.org>; Thu, 22 Oct 2020 13:55:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to;
        bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=;
        b=idT9cYTEFm1DK1SUOnCS0N+lYwK+G+69GUMe/tjese0xEbSGZB2W9sriYvaUL4TJrd
         oxOR23pZToWQh70Yn0yvSlZRZreM9Q+I+SC8Ap9Ku7BDCx0ZGN441pm0fPvTNvCIscjD
         UPHLXI6AajQPR1giYWRT2M9Pf4MN10nGcBdD+Y57QaKHrbsgqjNHWCNV4imLL3xaa/53
         tCi3Gs0VPiQN8U5qb3szTlKTJnVs1LudeXlIgLYjxRaqEZEjhyBXttoeq5yCeklPMO1+
         tIj7Dfa3lD14xQUzsntieExGi6jwQEIIQOKWF4m/lF43JmU41hZYFYDIaULc0u38X31T
         5a5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to;
        bh=ovSjaF8+AQYsNiCX+NFwJd5UBFzbmmXOmXUqLw5+IKU=;
        b=nHwKAwj3FNbMi233s5VUMhri1cp1QOCE4X1tj6DFrImXC/9jrIYzQGRu/TVsFRk0nY
         G1jLFz1OQl//xsEqtBOEgNRu3WnJliYGcuAyLGxIyde46TVuPZDQfKqq5b3uAil0nY/1
         8njBNCGOrD3gKLsPm5M/s273xc2wz0CS3dYyMG2JQXIswmV8//oQJWo+oyaMzXw+FNOP
         vxLCizK4dwaKolRpCHogTn2EzgDTdYCdr4AuUbRh6cQ+lTWU4V+aXcxjL8g0o6jSsCcL
         9fZ1OWAj3LnsGrooABc48bvnU6BB7fosDyW+pGfgkoGNLhmu6IfS6e/b9Z1pehJYyWh6
         VUEQ==
X-Gm-Message-State: AOAM530jK5Oum2dcQh67KWwqg+KkrbZ2fySWYLwPuWOd8OL1rU3O5K0X
        RQmLmFQkJOMp36s3ObhOl/0=
X-Received: by 2002:a05:651c:203:: with SMTP id y3mr1582906ljn.457.1603400152381;
        Thu, 22 Oct 2020 13:55:52 -0700 (PDT)
Received: from localhost (91-154-113-38.elisa-laajakaista.fi. [91.154.113.38])
        by smtp.gmail.com with ESMTPSA id r5sm432297ljm.77.2020.10.22.13.55.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 22 Oct 2020 13:55:51 -0700 (PDT)
Date:   Thu, 22 Oct 2020 23:55:50 +0300
From:   Johan Hedberg <johan.hedberg@gmail.com>
To:     Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc:     linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH v2 1/2] Bluetooth: Fix not checking advertisement
 bondaries
Message-ID: <20201022205550.GA63907@jhedberg-mac01.home>
Mail-Followup-To: Luiz Augusto von Dentz <luiz.dentz@gmail.com>,
        linux-bluetooth@vger.kernel.org
References: <20201019172529.1179996-1-luiz.dentz@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201019172529.1179996-1-luiz.dentz@gmail.com>
Precedence: bulk
List-ID: <linux-bluetooth.vger.kernel.org>
X-Mailing-List: linux-bluetooth@vger.kernel.org

Hi Luiz,

On Mon, Oct 19, 2020, Luiz Augusto von Dentz wrote:
> When receiving advertisements check if the length is actually within
> the skb, this also make use of skb_pull to advance on the skb->data
> instead of a custom ptr that way skb->len shall always indicates how
> much data is remaining and can be used to perform checks if there is
> enough data to parse.
> 
> Fixes: a2ec905d1e160a33b2e210e45ad30445ef26ce0e ("Bluetooth: fix kernel oops in store_pending_adv_report")
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> ---
> v2: Fixes rssi parsing.
> 
>  net/bluetooth/hci_event.c | 73 ++++++++++++++++++++++++++++++---------
>  1 file changed, 56 insertions(+), 17 deletions(-)

Could we get the matching HCI logs for these corrupted events? It'd be
good to include that in the commit message. Unless I misunderstood
something, from what I can see from the changes the fields you are
adding checks for are generated by the Bluetooth controller, i.e. only a
buggy or broken Bluetooth controller would generate such events
(meaning, this shouldn't be generally remotely exploitable), so it'd be
good to know exactly which controllers generate such broken events.

Johan