Re: [PATCH] Bluetooth: MGMT: require exact mesh send payload length

[Luiz Augusto von Dentz]

Hi Keenan,

On Sat, Mar 28, 2026 at 4:47 AM Keenan Dong <keenanat2000@xxxxxxxxx> wrote:
>
> mesh_send() only checks that the total command length falls within a
> broad range. A malformed MGMT_OP_MESH_SEND request can therefore claim
> a larger adv_data_len than the bytes actually present, and the async
> mesh send path later copies past the end of the stored command buffer.
>
> Require the command length to exactly match the variable advertising
> payload size before queueing the request.
>
> Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
> Reported-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> Signed-off-by: Keenan Dong <keenanat2000@xxxxxxxxx>
> ---
>  net/bluetooth/mgmt.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index e5f9287fb..aad0da033 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -2478,6 +2478,7 @@ static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
>         struct mgmt_mesh_tx *mesh_tx;
>         struct mgmt_cp_mesh_send *send = data;
>         struct mgmt_rp_mesh_read_features rp;
> +       u16 expected_len;
>         bool sending;
>         int err = 0;
>
> @@ -2491,6 +2492,11 @@ static int mesh_send(struct sock *sk, struct hci_dev *hdev, void *data, u16 len)
>                 return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
>                                        MGMT_STATUS_REJECTED);
>
> +       expected_len = struct_size(send, adv_data, send->adv_data_len);
> +       if (expected_len != len)
> +               return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
> +                                      MGMT_STATUS_INVALID_PARAMS);

Ok, I guess you are saying the following is not actually correct:

    if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
        len <= MGMT_MESH_SEND_SIZE ||
        len > (MGMT_MESH_SEND_SIZE + 31))

So is MGMT_MESH_SEND_SIZE is not the size of mgmt_cp_mesh_send? Anyway
your check can probably replace these checks above, it would be great
to have these conditions covered by the likes of mesh-tester:

https://github.com/bluez/bluez/blob/master/tools/mesh-tester.c

>         hci_dev_lock(hdev);
>
>         memset(&rp, 0, sizeof(rp));
> --
> 2.43.0
>


-- 
Luiz Augusto von Dentz