Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt

Next message: Mi, Dapeng: "Re: [PATCH V2 0/7] perf/x86/intel/uncore: Bug fixes and cleanups"
Previous message: Tanmay Shah: "[PATCH v3 2/2] remoteproc: xlnx: enable auto boot feature"
In reply to: Paul Menzel: "Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt"
Next in thread: Paul Menzel: "Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muhammad Bilal

Date: Wed May 27 2026 - 01:18:25 EST

Thanks for the review.

> By any chance, do you have a reproducer?

No standalone reproducer is available. The issue can be triggered by
a malformed L2CAP configuration request where opt->len exceeds the
remaining buffer, i.e. a crafted packet from a remote peer.

> I always wonder, if Linux should log a debug message or even warning.

Existing callers generally handle malformed configuration options by
silently aborting parsing, so I followed the same pattern. Adding a
BT_ERR() on -EINVAL could be reasonable; I can include that in a v2
if preferred.

Regards,
Muhammad Bilal