summaryrefslogtreecommitdiff
path: root/tools/lib/python
diff options
context:
space:
mode:
authorSamuel Moelius <sam.moelius@trailofbits.com>2026-06-09 02:57:05 +0300
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2026-06-11 21:24:41 +0300
commita40a5f922546b3bd7c094d882b29177db4f2abe0 (patch)
tree60744a65f5f04d1eac384bda88d19c09d3d44753 /tools/lib/python
parentc38fbcdc407925c7088f7e5f11c1fff73d2d35a2 (diff)
downloadlinux-a40a5f922546b3bd7c094d882b29177db4f2abe0.tar.xz
Bluetooth: L2CAP: validate connectionless PSM length
Connectionless L2CAP frames carry a two-byte PSM at the start of the payload. l2cap_recv_frame() currently reads that PSM unconditionally after validating only the outer L2CAP length. A malformed connectionless frame with a zero- or one-byte payload can therefore make the parser read beyond the advertised skb payload and use tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer injected a one-byte connectionless payload and reached the unchecked read. Reject connectionless frames that cannot contain the PSM before reading or pulling it. This preserves all valid connectionless frames while dropping only structurally incomplete packets. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'tools/lib/python')
0 files changed, 0 insertions, 0 deletions