summaryrefslogtreecommitdiff
path: root/tools/perf/scripts/python/bin/stackcollapse-report
diff options
context:
space:
mode:
authorSeungJu Cheon <suunj1331@gmail.com>2026-05-25 20:04:43 +0900
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2026-06-03 11:21:03 -0400
commit23882b828c3c8c51d0c946446a396b10abb3b16b (patch)
tree52a3222e637bf0d918d71008f111c1c65a4ac3d5 /tools/perf/scripts/python/bin/stackcollapse-report
parentde23fb62259aa01d294f77238ae3b835eb674413 (diff)
Bluetooth: RFCOMM: validate skb length in MCC handlers
The RFCOMM MCC handlers cast skb->data to protocol-specific structs without validating skb->len first. A malicious remote device can send truncated MCC frames and trigger out-of-bounds reads in these handlers. Fix this by using skb_pull_data() to validate and access the required data before dereferencing it. rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows 1-byte RPN requests. Handle this by validating only the DLCI byte first, and validating the full struct only when len > 1. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Suggested-by: Muhammad Bilal <meatuni001@gmail.com> Signed-off-by: SeungJu Cheon <suunj1331@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'tools/perf/scripts/python/bin/stackcollapse-report')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-18 07:26:45 +0000