Re: [PATCH v3] Bluetooth: HIDP: fix missing length checks in hidp_input_report()

Next message: Suzuki K Poulose: "Re: [PATCH v14 09/44] arm64: RMI: Provide functions to delegate/undelegate ranges of memory"
Previous message: patchwork-bot+bluetooth: "Re: [PATCH v3] Bluetooth: btusb: Allow firmware re-download when version matches"
In reply to: Muhammad Bilal: "[PATCH v3] Bluetooth: HIDP: fix missing length checks in hidp_input_report()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Thu May 21 2026 - 12:30:01 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Wed, 20 May 2026 18:56:43 -0400 you wrote:
> hidp_input_report() reads keyboard and mouse payload data from an skb
> without first verifying that skb->len contains enough data.
>
> hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
> to hidp_input_report(). If a paired device sends a truncated packet,
> the handler reads beyond the valid skb data, resulting in an
> out-of-bounds read of skb data. The OOB bytes may be interpreted as
> phantom key presses or spurious mouse movement.
>
> [...]

Here is the summary with links:
- [v3] Bluetooth: HIDP: fix missing length checks in hidp_input_report()
https://git.kernel.org/bluetooth/bluetooth-next/c/6522ecbcd122

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html