Re: [PATCH v4] Bluetooth: bnep: reject short frames before parsing
From: Cen Zhang
Date: Thu May 28 2026 - 21:03:11 EST
Hi Luiz,
On Fri, May 29, 2026 at 4:48 AM Luiz Augusto von Dentz
<luiz.dentz@xxxxxxxxx> wrote:
>
> This is what you get if you don't know where to look at:
>
> struct bnep_setup_conn_req {
> uint8_t type;
> uint8_t ctrl;
> uint8_t uuid_size;
> uint8_t service[0];
> } __attribute__((packed));
> https://github.com/bluez/bluez/blob/master/lib/bluetooth/bnep.h#L79
>
> It is in fact a tuple of src + dst service as parsed by btmon:
> https://github.com/bluez/bluez/blob/master/monitor/bnep.c#L104
Right, service[] is the dst + src service tuple, each uuid_size, so the
skip after the control type is 1 + 2 * uuid_size. For v5, I'll name the
byte uuid_size and make the setup-request layout explicit in the comment
so it is not an opaque length.
> Probably just reference the above, but the fact that you couldn't
> mention any of the BlueZ references really bothers me. Although the
> result was correct, the lack of references makes me believe I'm just
> arguing with an AI prompt which doesn't have BlueZ userspace loaded as
> context.
You are right to call this out, and I'm sorry for the noise.
The initial lead for this issue did come from AI assistance. I then
reproduced the bug under KASAN and checked the kernel-side code, but I
should have done a better job before replying.
I've also been reading the recent kernel discussions around AI-assisted
reports and patches, and I understand the concern better now. A patch
is not just a bug report saying what can go wrong; it also has to
explain why the change is correct in the subsystem context, so reviewers
are not left doing that work from scratch. I was thinking too much like
a bug reporter there and not carefully enough as a patch author. I will
not rely on LLM output as a substitute for reading and understanding the
code.
I'll send v5 with the above and will be more careful with Bluetooth
patches and follow-ups going forward.
Thanks for taking the time to point this out.
Zhang Cen