[PW_SID:1096915] [v2] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify#212
[PW_SID:1096915] [v2] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify#212BluezTestBot wants to merge 6 commits into
Conversation
This patch adds workflow files for ci: [sync.yml] - The workflow file for scheduled work - Sync the repo with upstream repo and rebase the workflow branch - Review the patches in the patchwork and creates the PR if needed [ci.yml] - The workflow file for CI tasks - Run CI tests when PR is created Signed-off-by: Tedd Ho-Jeong An <tedd.an@intel.com>
This replaces the bzcafe action with bluez/action-ci so we can maintain everything in the github bluez organization Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This attempts to sync every 5 minutes instead of 30. Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
bluez/action-ci uses master as default branch for workflow which is incorrect for kernel Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
The CI action now creates individual GitHub Check Runs per test, which requires 'checks: write' permission on the GITHUB_TOKEN. Also make the pull_request trigger types explicit to include 'reopened', allowing CI to be retriggered by closing and reopening a PR.
smp_cmd_keypress_notify() accesses the received payload as struct smp_cmd_keypress_notify without verifying that skb->len contains enough data. smp_sig_channel() removes the opcode byte before dispatching to command handlers, so a SMP_CMD_KEYPRESS_NOTIFY packet without a payload leaves skb->len equal to zero on entry to the handler, causing a 1-byte out-of-bounds read from the heap. Use skb_pull_data() to safely consume the payload; it performs a bounds check internally and returns NULL when the packet is too short. Add a ratelimited warning in that path to aid debugging of malformed packets, matching the pattern used by hci_event.c. Fixes: 1408bb6 ("Bluetooth: Add dummy handler for LE SC keypress notification") Cc: stable@vger.kernel.org Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
|
CheckPatch |
|
GitLint |
|
SubjectPrefix |
|
BuildKernel |
|
CheckAllWarning |
|
CheckSparse |
|
BuildKernel32 |
|
TestRunnerSetup |
|
TestRunner_smp-tester |
|
IncrementalBuild |
github-actions
Bot
force-pushed
the
workflow
branch
from
e6b705e to
133f77d
Compare
3 participants
smp_cmd_keypress_notify() accesses the received payload as
struct smp_cmd_keypress_notify without verifying that skb->len
contains enough data.
smp_sig_channel() removes the opcode byte before dispatching to
command handlers, so a SMP_CMD_KEYPRESS_NOTIFY packet without a
payload leaves skb->len equal to zero on entry to the handler,
causing a 1-byte out-of-bounds read from the heap.
Use skb_pull_data() to safely consume the payload; it performs
a bounds check internally and returns NULL when the packet is too
short. Add a ratelimited warning in that path to aid debugging
of malformed packets, matching the pattern used by hci_event.c.
Fixes: 1408bb6 ("Bluetooth: Add dummy handler for LE SC keypress notification")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal meatuni001@gmail.com
net/bluetooth/smp.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)