| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Jun 2024 19:09:37 +0800
From: Edward Adam Davis <eadavis@...com>
To: pmenzel@...gen.mpg.de
Cc: davem@...emloft.net,
eadavis@...com,
edumazet@...gle.com,
johan.hedberg@...il.com,
kuba@...nel.org,
linux-bluetooth@...r.kernel.org,
linux-kernel@...r.kernel.org,
luiz.dentz@...il.com,
luiz.von.dentz@...el.com,
marcel@...tmann.org,
netdev@...r.kernel.org,
pabeni@...hat.com,
syzkaller-bugs@...glegroups.com,
william.xuanziyang@...wei.com
Subject: [PATCH v2] Bluetooth: Ignore too large handle values in BIG
hci_le_big_sync_established_evt is necessary to filter out cases where the
handle value is belonging to ida id range, otherwise ida will be erroneously
released in hci_conn_cleanup.
Fixes: 181a42edddf5 ("Bluetooth: Make handle of hci_conn be unique")
Reported-by: syzbot+b2545b087a01a7319474@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=b2545b087a01a7319474
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
net/bluetooth/hci_event.c | 4 +++
1 file changed, 4 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index a487f9df8145..3966fbc38df9 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6893,6 +6893,10 @@ static void hci_le_big_sync_established_evt(struct hci_dev *hdev, void *data,
bis = hci_conn_hash_lookup_handle(hdev, handle);
if (!bis) {
+ if (handle > HCI_CONN_HANDLE_MAX) {
+ bt_dev_dbg(hdev, "ignore too large handle %u", handle);
+ continue;
+ }
bis = hci_conn_add(hdev, ISO_LINK, BDADDR_ANY,
HCI_ROLE_SLAVE, handle);
if (IS_ERR(bis))
--
2.43.0
Powered by blists - more mailing lists