Re: Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add

Next message: Frank Li: "Re: [PATCH 4/8] dmaengine: tegra: Use struct for register offsets"
Previous message: Martin KaFai Lau: "Re: [PATCH v5] bpf: test_run: Fix the null pointer dereference issue in bpf_lwt_xmit_push_encap"
Next in thread: Luiz Augusto von Dentz: "Re: Bluetooth: mgmt: Fix heap overflow in mgmt_mesh_add"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Daniel Matsumoto

Date: Tue Feb 17 2026 - 13:09:47 EST

Regarding commit ac0c6f1b6a58 ("Bluetooth: mgmt: Fix heap overflow in
mgmt_mesh_add"):

I reviewed the call path for this patch and the overflow condition
appears to be unreachable in the current tree.
The only caller of mgmt_mesh_add() is mesh_send() in
net/bluetooth/mgmt_util.c. The length parameter is explicitly
sanitized before the call:

if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED) ||
len <= MGMT_MESH_SEND_SIZE ||
len > (MGMT_MESH_SEND_SIZE + 31))
return mgmt_cmd_status(sk, hdev->id, MGMT_OP_MESH_SEND,
MGMT_STATUS_REJECTED);

Given that mgmt_mesh_add() allocates sizeof(*mesh_tx), which includes
the param buffer sized for this maximum length, the bounds check
introduced in the commit is redundant.
While defensive programming is valid, tagging this as a fix for a heap
overflow is misleading for backporters and security scanners, as the
overflow cannot be triggered.

Please consider dropping this from the stable queue to avoid
unnecessary code churn.