Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify

Next message: kernel test robot: "fs/fuse/fuse.o: error: objtool: fuse_emit+0x7e6: unknown CFA base reg -1"
Previous message: Sohil Mehta: "Re: [PATCH v2 2/3] x86/cpu/intel: Simplify F00F bug notice using pr_notice_once()"
In reply to: Muhammad Bilal: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Next in thread: Luiz Augusto von Dentz: "Re: [PATCH] Bluetooth: SMP: add missing skb len check in smp_cmd_keypress_notify"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paul Menzel

Date: Mon May 18 2026 - 16:36:29 EST

Dear Muhammad,

Am 17.05.26 um 21:03 schrieb Muhammad Bilal:

There is no safe way to access kp->value in the truncated case, since
the payload is not guaranteed to be present when skb->len < sizeof(*kp).

Indeed, you are right.

If diagnostic information is still useful, only metadata can be logged:

if (skb->len < sizeof(*kp)) {
bt_dev_dbg(conn->hcon->hdev,
"truncated keypress notify, len=%u",
skb->len);
return SMP_INVALID_PARAMS;
}

This keeps visibility into malformed packets without touching unvalidated
memory. Happy to send a v2 if that looks good to you.

It looks good to me. Hopefully the maintainers agree.

Kind regards,

Paul