Re: [Patch net v2 1/3] bluetooth: validate HCI_EVENT_PKT packet carefully

On Tue, Apr 23, 2019 at 12:42 PM Marcel Holtmann wrote: > > Hi Cong, > > > hci_event_packet() blindly assumes all packets are sane, at least > > for packets allocated via vhci_get_user() path this is not true. > > We have to check if we access skb data out-of-bound with > > pskb_may_pull() before

Re: [Patch net v2 1/3] bluetooth: validate HCI_EVENT_PKT packet carefully

Hi Cong, > hci_event_packet() blindly assumes all packets are sane, at least > for packets allocated via vhci_get_user() path this is not true. > We have to check if we access skb data out-of-bound with > pskb_may_pull() before each skb->data dereference on RX path. > > Reported-and-tested-by: sy

[Patch net v2 1/3] bluetooth: validate HCI_EVENT_PKT packet carefully

hci_event_packet() blindly assumes all packets are sane, at least for packets allocated via vhci_get_user() path this is not true. We have to check if we access skb data out-of-bound with pskb_may_pull() before each skb->data dereference on RX path. Reported-and-tested-by: syzbot+cec7a50c412a2c03f

[Patch net v2 1/3] bluetooth: validate HCI_EVENT_PKT packet carefully

hci_event_packet() blindly assumes all packets are sane, at least for packets allocated via vhci_get_user() path this is not true. We have to check if we access skb data out-of-bound with pskb_may_pull() before each skb->data dereference on RX path. Reported-and-tested-by: syzbot+cec7a50c412a2c03f