Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify

Next message: pip-izony: "[PATCH v3 1/2] usb: host: max3421: Fix shift-out-of-bounds in max3421_hub_control()"
Previous message: Tejun Heo: "[PATCH v2 1/3] sched_ext: Rename scx_cmask.nr_bits to nr_cids"
In reply to: Paul Menzel: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Next in thread: Paul Menzel: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Muhammad Bilal

Date: Sun May 17 2026 - 15:03:51 EST

Hi Paul,

There is no safe way to access kp->value in the truncated case, since
the payload is not guaranteed to be present when skb->len < sizeof(*kp).

If diagnostic information is still useful, only metadata can be logged:

if (skb->len < sizeof(*kp)) {
bt_dev_dbg(conn->hcon->hdev,
"truncated keypress notify, len=%u",
skb->len);
return SMP_INVALID_PARAMS;
}

This keeps visibility into malformed packets without touching unvalidated
memory. Happy to send a v2 if that looks good to you.

Regards,
Muhammad Bilal