Re: [PATCH net] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()

From: patchwork-bot+bluetooth@kernel.org
Date: 2025-10-31 15:30:29
Also in: linux-bluetooth, lkml, stable

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz [off-list ref]:

On Mon, 20 Oct 2025 15:12:55 +0000 you wrote:

In the parse_adv_monitor_pattern() function, the value of
the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
The size of the 'value' array in the mgmt_adv_pattern structure is 31.
If the value of 'pattern[i].length' is set in the user space
and exceeds 31, the 'patterns[i].value' array can be accessed
out of bound when copied.

[...]

Here is the summary with links:
  - [net] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
    https://git.kernel.org/bluetooth/bluetooth-next/c/e1e9d861e2f9

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help