Skip to content

bluetooth: hci_raw: avoid possible memory overflow in bt_buf_get_tx() #42093

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 26, 2022
Merged

bluetooth: hci_raw: avoid possible memory overflow in bt_buf_get_tx() #42093

merged 2 commits into from
Jan 26, 2022

Conversation

jfischer-no
Copy link
Collaborator

bluetooth: hci_raw: avoid possible memory overflow in bt_buf_get_tx()

Function bt_buf_get_tx(), which is used to allocate buffer from
fixed-size pool, does not check size argument before copying
the data with the length size into fixed-size buffer, wich may
not be large enough.

Check immediately before copying if the tailroom of the buffer
is large enough.

usb: bluetooth: check buffer tailroom before copying

If HCI packet length is greater than endpoint MPS or currently
received data block (over USB), next block could be larger
than allocated net_buf buffer.

Check buffer tailroom before copying data using net_buf_add_mem().

@jfischer-no
bluetooth: hci_raw: avoid possible memory overflow in bt_buf_get_tx()
907c257 
Function bt_buf_get_tx(), which is used to allocate buffer from
fixed-size pool, does not check size argument before copying
the data with the length size into fixed-size buffer, wich may
not be large enough.

Check immediately before copying if the tailroom of the buffer
is large enough.

Signed-off-by: Johann Fischer <[email protected]>
@jfischer-no
usb: bluetooth: check buffer tailroom before copying
ed2e6df 
If HCI packet length is greater than endpoint MPS or currently
received data block (over USB), next block could be larger
than allocated net_buf buffer.

Check buffer tailroom before copying data using net_buf_add_mem().

Signed-off-by: Johann Fischer <[email protected]>
@jfischer-no jfischer-no added bug The issue is a bug, or the PR is fixing a bug area: USB Universal Serial Bus area: Bluetooth HCI Bluetooth HCI Driver labels Jan 24, 2022
@jfischer-no jfischer-no added this to the v3.0.0 milestone Jan 24, 2022
@github-actions github-actions bot added area: Bluetooth area: Bluetooth Host Bluetooth Host (excluding BR/EDR) labels Jan 24, 2022
@carlescufi carlescufi merged commit 3880014 into zephyrproject-rtos:main Jan 26, 2022
@carlescufi carlescufi added the backport v2.7-branch Request backport to the v2.7-branch label Jan 26, 2022
@zephyrbot zephyrbot mentioned this pull request Jan 26, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhedberg jhedberg jhedberg approved these changes

@carlescufi carlescufi carlescufi approved these changes

@alwa-nordic alwa-nordic alwa-nordic approved these changes

@Vudentz Vudentz Awaiting requested review from Vudentz

@asbjornsabo asbjornsabo Awaiting requested review from asbjornsabo

@Thalley Thalley Awaiting requested review from Thalley

Assignees

@jhedberg jhedberg

Labels
area: Bluetooth HCI Bluetooth HCI Driver area: Bluetooth Host Bluetooth Host (excluding BR/EDR) area: Bluetooth area: USB Universal Serial Bus backport v2.7-branch Request backport to the v2.7-branch bug The issue is a bug, or the PR is fixing a bug
Projects
None yet
Milestone
v3.0.0
Development

Successfully merging this pull request may close these issues.
4 participants
@jfischer-no @jhedberg @carlescufi @alwa-nordic