From: Samuel Moelius Date: Mon, 8 Jun 2026 23:57:05 +0000 (+0000) Subject: Bluetooth: L2CAP: validate connectionless PSM length X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a40a5f922546b3bd7c094d882b29177db4f2abe0;p=thirdparty%2Flinux.git Bluetooth: L2CAP: validate connectionless PSM length Connectionless L2CAP frames carry a two-byte PSM at the start of the payload. l2cap_recv_frame() currently reads that PSM unconditionally after validating only the outer L2CAP length. A malformed connectionless frame with a zero- or one-byte payload can therefore make the parser read beyond the advertised skb payload and use tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer injected a one-byte connectionless payload and reached the unchecked read. Reject connectionless frames that cannot contain the PSM before reading or pulling it. This preserves all valid connectionless frames while dropping only structurally incomplete packets. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius Signed-off-by: Luiz Augusto von Dentz --- diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index a97d492473e2..62133eef9d2f 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -7029,6 +7029,11 @@ static void l2cap_recv_frame(struct l2cap_conn *conn, struct sk_buff *skb) break; case L2CAP_CID_CONN_LESS: + if (skb->len < L2CAP_PSMLEN_SIZE) { + kfree_skb(skb); + break; + } + psm = get_unaligned((__le16 *) skb->data); skb_pull(skb, L2CAP_PSMLEN_SIZE); l2cap_conless_channel(conn, psm, skb);