--- /dev/null
+From 149324fc762c2a7acef9c26790566f81f475e51f Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Tue, 2 Jun 2026 16:48:34 -0400
+Subject: Bluetooth: MGMT: Fix backward compatibility with userspace
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 149324fc762c2a7acef9c26790566f81f475e51f upstream.
+
+bluetoothd has a bug with makes it send extra bytes as part of
+MGMT_OP_ADD_EXT_ADV_DATA which are now being checked to be the
+exact the expected length, relax this so only when the expected
+length is greater than the data length to cause an error since
+that would result in accessing invalid memory, otherwise just
+ignore the extra bytes.
+
+Link: https://lore.kernel.org/linux-bluetooth/20260602204749.210857-1-luiz.dentz@gmail.com/T/#u
+Fixes: d3f7d17960ed ("Bluetooth: MGMT: validate Add Extended Advertising Data length")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/mgmt.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/bluetooth/mgmt.c
++++ b/net/bluetooth/mgmt.c
+@@ -8088,8 +8088,9 @@ static int add_ext_adv_data(struct sock
+
+ BT_DBG("%s", hdev->name);
+
+- expected_len = struct_size(cp, data, cp->adv_data_len + cp->scan_rsp_len);
+- if (expected_len != data_len)
++ expected_len = struct_size(cp, data, cp->adv_data_len +
++ cp->scan_rsp_len);
++ if (expected_len > data_len)
+ return mgmt_cmd_status(sk, hdev->id, MGMT_OP_ADD_EXT_ADV_DATA,
+ MGMT_STATUS_INVALID_PARAMS);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
