[lvc-project] [PATCH net] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
patchwork-bot+bluetooth at kernel.org
patchwork-bot+bluetooth at kernel.org
Fri Oct 31 18:30:05 MSK 2025
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz at intel.com>:
On Mon, 20 Oct 2025 15:12:55 +0000 you wrote:
> In the parse_adv_monitor_pattern() function, the value of
> the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251).
> The size of the 'value' array in the mgmt_adv_pattern structure is 31.
> If the value of 'pattern[i].length' is set in the user space
> and exceeds 31, the 'patterns[i].value' array can be accessed
> out of bound when copied.
>
> [...]
Here is the summary with links:
- [net] Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
https://git.kernel.org/bluetooth/bluetooth-next/c/e1e9d861e2f9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
More information about the lvc-project
mailing list