diff options
| author | Keenan Dong <keenanat2000@gmail.com> | 2026-04-01 22:25:26 +0800 |
|---|---|---|
| committer | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2026-04-01 16:47:19 -0400 |
| commit | bda93eec78cdbfe5cda00785cefebd443e56b88b (patch) | |
| tree | aa07f6bc7a3c7f74398edf881ff3b862a2d07a18 /drivers/usb/input/git@git.tavy.me:linux.git | |
| parent | b255531b27da336571411248c2a72a350662bd09 (diff) | |
Bluetooth: MGMT: validate mesh send advertising payload length
mesh_send() currently bounds MGMT_OP_MESH_SEND by total command
length, but it never verifies that the bytes supplied for the
flexible adv_data[] array actually match the embedded adv_data_len
field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a
truncated command can still pass the existing 20..50 byte range
check and later drive the async mesh send path past the end of the
queued command buffer.
Keep rejecting zero-length and oversized advertising payloads, but
validate adv_data_len explicitly and require the command length to
exactly match the flexible array size before queueing the request.
Fixes: b338d91703fa ("Bluetooth: Implement support for Mesh")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'drivers/usb/input/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions