Re: [PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it

Next message: Leon Romanovsky: "Re: [PATCH] PCI/P2PDMA: Avoid returning a provider for non_mappable_bars"
Previous message: Mark Rutland: "Re: [PATCH] arm64: traps: Add a macro to simplify the condition codes check"
In reply to: Pengpeng Hou: "[PATCH] Bluetooth: RFCOMM: require a credit byte before consuming it"
Next in thread: Pengpeng Hou: "[PATCH v2] Bluetooth: RFCOMM: pull credit byte with skb_pull_data()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Luiz Augusto von Dentz

Date: Wed Apr 22 2026 - 11:21:55 EST

Hi Pengpeng,

On Fri, Apr 17, 2026 at 3:35 AM Pengpeng Hou <pengpeng@xxxxxxxxxxx> wrote:
>
> rfcomm_recv_data() treats the first payload byte as a credit field when
> the UIH frame carries PF and credit-based flow control is enabled.
>
> After the header has been stripped, the code does not re-check that the
> frame still has at least one payload byte before dereferencing skb->data.
> A malformed short frame can therefore trigger an out-of-bounds read.
>
> Drop the frame if the optional credit byte is not present.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@xxxxxxxxxxxxxxx
>
> Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
> ---
> net/bluetooth/rfcomm/core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
> index 611a9a94151e..964a78d473cc 100644
> --- a/net/bluetooth/rfcomm/core.c
> +++ b/net/bluetooth/rfcomm/core.c
> @@ -1715,6 +1715,9 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
> }
>
> if (pf && d->cfc) {
> + if (!skb->len)
> + goto drop;

We can probably use skb_pull_data below, which checks skb->len.

> u8 credits = *(u8 *) skb->data; skb_pull(skb, 1);
>
> d->tx_credits += credits;
> --
> 2.50.1 (Apple Git-155)
>

--
Luiz Augusto von Dentz