Re: [PATCH] Bluetooth: L2CAP: validate option length before reading conf opt value

Next message: patchwork-bot+bluetooth: "Re: [PATCH] Bluetooth: ISO: avoid NULL deref of conn in iso_conn_big_sync()"
Previous message: David Lechner: "Re: [PATCH 1/4] dt-bindings: iio: adc: add ti,ads122c14"
In reply to: Muhammad Bilal: "[PATCH] Bluetooth: L2CAP: validate option length before reading conf opt value"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Mon Jun 22 2026 - 13:00:32 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Sun, 21 Jun 2026 00:56:35 +0500 you wrote:
> l2cap_get_conf_opt() derives the option length from the
> attacker-controlled opt->len field and immediately dereferences
> opt->val (as u8, get_unaligned_le16() or get_unaligned_le32(), or a
> raw pointer for the default case) before any caller has confirmed
> that opt->len bytes are present in the buffer. The callers
> (l2cap_parse_conf_req(), l2cap_parse_conf_rsp() and
> l2cap_conf_rfc_get()) only detect a malformed option afterwards, once
> the running length has gone negative, by which point the
> out-of-bounds read has already executed.
>
> [...]

Here is the summary with links:
- Bluetooth: L2CAP: validate option length before reading conf opt value
https://git.kernel.org/bluetooth/bluetooth-next/c/64522263b6e3

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html