Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify

Next message: Michael Bommarito: "[PATCH] KVM: arm64: vgic: free private_irqs when init fails after allocation"
Previous message: Rodrigo Alencar: "Re: [PATCH RFC v4 03/10] iio: frequency: ad9910: initial driver implementation"
In reply to: Paul Menzel: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Next in thread: Paul Menzel: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muhammad Bilal

Date: Sun May 17 2026 - 14:13:07 EST

Hi Paul,

Thanks for the review.

Moving the check after bt_dev_dbg() would not be safe since the debug
statement reads kp->value, which is exactly what the length check is guarding.

On a truncated SMP_CMD_KEYPRESS_NOTIFY packet, skb->len may be smaller
than sizeof(*kp) when entering the handler, so evaluating kp->value in
the debug log would already access out-of-bounds memory before the
guard is reached.

Therefore the length check needs to remain before any access to
kp->value.

Regards,
Muhammad Bilal