Re: [PATCH] Bluetooth: MGMT: validate Add Extended Advertising Data length

[Luiz Augusto von Dentz]

Hi,

On Fri, May 15, 2026 at 10:38 AM Michael Bommarito
<michael.bommarito@xxxxxxxxx> wrote:
>
> MGMT_OP_ADD_EXT_ADV_DATA is registered as a variable-length command,
> with MGMT_ADD_EXT_ADV_DATA_SIZE as the fixed header size.  The handler
> then uses cp->adv_data_len and cp->scan_rsp_len to validate and copy
> cp->data, but it never checks that those bytes are part of the mgmt
> command payload.
>
> A short command can therefore make add_ext_adv_data() pass an
> out-of-bounds pointer into tlv_data_is_valid().  If the bytes beyond
> the command buffer are addressable, they can also be copied into the
> advertising instance as scan response data, where the caller can read
> them back via MGMT_OP_GET_ADV_INSTANCE.  The trigger requires
> CAP_NET_ADMIN in the initial user namespace; KASAN reports an 8-byte
> slab-out-of-bounds read.
>
> Reject commands whose length does not match the fixed header plus both
> advertising data lengths before parsing cp->data.
>
> Fixes: 12410572833a ("Bluetooth: Break add adv into two mgmt commands")
> Cc: stable@xxxxxxxxxxxxxxx
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Michael Bommarito <michael.bommarito@xxxxxxxxx>
> ---
>  net/bluetooth/mgmt.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index b05bb380e5f8..de5bd6b637b2 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -9110,9 +9110,15 @@ static int add_ext_adv_data(struct sock *sk, struct hci_dev *hdev, void *data,
>         struct adv_info *adv_instance;
>         int err = 0;
>         struct mgmt_pending_cmd *cmd;
> +       u16 expected_len;
>
>         BT_DBG("%s", hdev->name);
>
> +       expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
> +       if (expected_len != data_len)
> +               return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
> +                                      MGMT_STATUS_INVALID_PARAMS);

So it appears this was never tested with the likes of
bluetoothd/bluetoothctl> advertise on:

bluetoothd[40]: @ MGMT Command: Add Extende..   {0x0001} [hci0] 16:04:53.318270
        Instance: 1
        Advertising data length: 3
        Advertising Data[3]:
        02 01 06                                         ...
        Flags: 0x06
          LE General Discoverable Mode
          BR/EDR Not Supported
        Scan response length: 0
        00 00 00 00 00 00 00 00                          ........
<- Extra bytes
@ MGMT Event: Command Status (0x0002) plen 3    {0x0001} [hci0] 16:04:53.318287
      Add Extended Advertising Data (0x0055)
        Status: Invalid Parameters (0x0d)

That is probably a bug in bluetoothd but it breaks backward compatibility.

>         hci_dev_lock(hdev);
>
>         adv_instance = hci_find_adv_instance(hdev, cp->instance);
> --
> 2.53.0
>


-- 
Luiz Augusto von Dentz