Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify

Next message: Rodrigo Alencar via B4 Relay: "[PATCH v5 12/13] Documentation: ABI: testing: add docs for ad9910 sysfs entries"
Previous message: SeongJae Park: "Re: [RFC PATCH 2/5] mm/damon/core: cap effective quota size to total monitored memory"
In reply to: Muhammad Bilal: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Next in thread: Muhammad Bilal: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Menzel

Date: Sun May 17 2026 - 14:41:35 EST

Dear Muhammad,

Am 17.05.26 um 20:08 schrieb Muhammad Bilal:

Thanks for the review.

Thank you for your instant reply.

Moving the check after bt_dev_dbg() would not be safe since the debug
statement reads kp->value, which is exactly what the length check is guarding.

On a truncated SMP_CMD_KEYPRESS_NOTIFY packet, skb->len may be smaller
than sizeof(*kp) when entering the handler, so evaluating kp->value in
the debug log would already access out-of-bounds memory before the
guard is reached.

Therefore the length check needs to remain before any access to
kp->value.

Thank you for the explanation. Is there another to log the faulty value?

Kind regards,

Paul