Re: [PATCH] Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req

Next message: Antheas Kapenekakis: "Re: [RFC v1 2/8] acpi/x86: s2idle: Rename LPS0 constants so they mirror their function"
Previous message: Andy Shevchenko: "Re: [PATCH v4 0/7] iio: light: vcnl4000: add regulator support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: patchwork-bot+bluetooth

Date: Mon Mar 16 2026 - 16:01:26 EST

Hello:

This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:

On Sun, 15 Mar 2026 22:14:37 +0900 you wrote:
> Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd()
> that is triggered by a malformed Enhanced Credit Based Connection Request.
>
> The vulnerability stems from l2cap_ecred_conn_req(). The function allocates
> a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel
> IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more
> than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated
> `cmd_len` before checking if the number of SCIDs exceeds
> L2CAP_ECRED_MAX_CID.
>
> [...]

Here is the summary with links:
- Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req
https://git.kernel.org/bluetooth/bluetooth-next/c/6ec1f2e822b2

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html