summaryrefslogtreecommitdiff
path: root/tools/lib/python
diff options
context:
space:
mode:
authorSamuel Moelius <sam.moelius@trailofbits.com>2026-06-09 02:56:28 +0300
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2026-06-11 21:24:41 +0300
commitc38fbcdc407925c7088f7e5f11c1fff73d2d35a2 (patch)
tree42bcd2797b4905198f702708f28b7c36ac095ddf /tools/lib/python
parentb66774b48dd98f07254951f74ea6f513efe7ff8b (diff)
downloadlinux-c38fbcdc407925c7088f7e5f11c1fff73d2d35a2.tar.xz
Bluetooth: hci: validate codec capability element length
Read Local Codec Capabilities returns a sequence of capability elements. Each element starts with a one-byte length followed by that many payload bytes. hci_read_codec_capabilities() checks that the skb contains the length byte, but then validates only caps->len against the remaining skb length. A malformed controller response with one remaining byte and caps->len set to one passes that check even though the element needs two bytes. The parser then records a two-byte capability and copies one byte beyond the advertised response payload into the codec list. Validate the full element size, including the length byte, before adding it to the accumulated capability length. This preserves all well-formed capability elements and drops only truncated controller responses. Fixes: 8961987f3f5f ("Bluetooth: Enumerate local supported codec and cache details") Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'tools/lib/python')
0 files changed, 0 insertions, 0 deletions