Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt

Next message: Yepuri Siddu: "[PATCH 2/4] Bluetooth: qca: add QCC2072 support"
Previous message: Yury Norov: "Re: [PATCH] mm: don't allow empty relative nodemask in mpol_relative_nodemask()"
In reply to: Muhammad Bilal: "Re: [PATCH v1 1/1] Bluetooth: L2CAP: fix heap over-read in l2cap_get_conf_opt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Menzel

Date: Fri May 29 2026 - 14:15:53 EST

Dear Muhammad,

Am 27.05.26 um 07:18 schrieb Muhammad Bilal:

By any chance, do you have a reproducer?

No standalone reproducer is available. The issue can be triggered by
a malformed L2CAP configuration request where opt->len exceeds the
remaining buffer, i.e. a crafted packet from a remote peer.

Understood.

I always wonder, if Linux should log a debug message or even warning.

Existing callers generally handle malformed configuration options by
silently aborting parsing, so I followed the same pattern. Adding a
BT_ERR() on -EINVAL could be reasonable; I can include that in a v2
if preferred.

Thank you for sharing the reasoning. It makes sense, and no need to add it then.

Kind regards,

Paul