git.ipfire.org Git - thirdparty/linux.git/commit

author	Muhammad Bilal <meatuni001@gmail.com>
	Wed, 20 May 2026 22:56:43 +0000 (18:56 -0400)
committer	Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
	Wed, 27 May 2026 20:44:02 +0000 (16:44 -0400)
commit	2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6
tree	55564e488966e12b685920a91789a2df88f027d7	tree \| snapshot
parent	8c8e620467a7b51562dbcefbd1f09f288d7d710d	commit \| diff

Bluetooth: HIDP: fix missing length checks in hidp_input_report()

hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.

hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.

Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>