Message ID | 20220729181041.1571220-1-luiz.dentz@gmail.com (mailing list archive) |
---|---|
State | Accepted |
Commit | c5d36b8a7dbdcf41da7316252b717c60c409992b |
Headers | show |
Series | Bluetooth: ISO: Fix memory corruption | expand |
Context | Check | Description |
---|---|---|
tedd_an/pre-ci_am | success | Success |
tedd_an/checkpatch | success | Checkpatch PASS |
tedd_an/gitlint | success | Gitlint PASS |
tedd_an/subjectprefix | success | PASS |
tedd_an/buildkernel | success | Build Kernel PASS |
tedd_an/buildkernel32 | success | Build Kernel32 PASS |
tedd_an/incremental_build | success | Pass |
tedd_an/testrunnersetup | success | Test Runner Setup PASS |
tedd_an/testrunnerl2cap-tester | success | Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunnerbnep-tester | success | Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunnermgmt-tester | success | Total: 494, Passed: 494 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunnerrfcomm-tester | success | Total: 10, Passed: 10 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunnersco-tester | success | Total: 12, Passed: 12 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunnersmp-tester | success | Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0 |
tedd_an/testrunneruserchan-tester | success | Total: 4, Passed: 4 (100.0%), Failed: 0, Not Run: 0 |
This is automated email and please do not reply to this email! Dear submitter, Thank you for submitting the patches to the linux bluetooth mailing list. This is a CI test results with your patch series: PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=664152 ---Test result--- Test Summary: CheckPatch PASS 0.86 seconds GitLint PASS 0.45 seconds SubjectPrefix PASS 0.29 seconds BuildKernel PASS 43.03 seconds BuildKernel32 PASS 38.11 seconds Incremental Build with patchesPASS 52.80 seconds TestRunner: Setup PASS 632.61 seconds TestRunner: l2cap-tester PASS 21.11 seconds TestRunner: bnep-tester PASS 8.31 seconds TestRunner: mgmt-tester PASS 128.66 seconds TestRunner: rfcomm-tester PASS 12.15 seconds TestRunner: sco-tester PASS 11.77 seconds TestRunner: smp-tester PASS 11.62 seconds TestRunner: userchan-tester PASS 8.31 seconds --- Regards, Linux Bluetooth
Hello: This patch was applied to bluetooth/bluetooth-next.git (master) by Luiz Augusto von Dentz <luiz.von.dentz@intel.com>: On Fri, 29 Jul 2022 11:10:41 -0700 you wrote: > From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> > > The following memory corruption can happen since iso_pinfo.base size > did not account for its headers (4 bytes): > > net/bluetooth/eir.c > 76 memcpy(&eir[eir_len], data, data_len); > ^^^^^^^ ^^^^^^^^ > 77 eir_len += data_len; > 78 > 79 return eir_len; > 80 } > > [...] Here is the summary with links: - Bluetooth: ISO: Fix memory corruption https://git.kernel.org/bluetooth/bluetooth-next/c/c5d36b8a7dbd You are awesome, thank you!
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c index dded22cde0d1..70c2dd30cb13 100644 --- a/net/bluetooth/iso.c +++ b/net/bluetooth/iso.c @@ -44,6 +44,9 @@ static void iso_sock_kill(struct sock *sk); /* ----- ISO socket info ----- */ #define iso_pi(sk) ((struct iso_pinfo *)sk) +#define EIR_SERVICE_DATA_LENGTH 4 +#define BASE_MAX_LENGTH (HCI_MAX_PER_AD_LENGTH - EIR_SERVICE_DATA_LENGTH) + struct iso_pinfo { struct bt_sock bt; bdaddr_t src; @@ -57,7 +60,7 @@ struct iso_pinfo { __u32 flags; struct bt_iso_qos qos; __u8 base_len; - __u8 base[HCI_MAX_PER_AD_LENGTH]; + __u8 base[BASE_MAX_LENGTH]; struct iso_conn *conn; };