Commit 5c5f1f64 authored Oct 24, 2025 by Raphael Pinsonneault-Thibeault Committed by Luiz Augusto von Dentz Oct 31, 2025

Bluetooth: hci_event: validate skb length for unknown CC opcode

In hci_cmd_complete_evt(), if the command complete event has an unknown
opcode, we assume the first byte of the remaining skb->data contains the
return status. However, parameter data has previously been pulled in
hci_event_func(), which may leave the skb empty. If so, using skb->data[0]
for the return status uses un-init memory.

The fix is to check skb->len before using skb->data.

Reported-by: <syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=a9a4bedfca6aa9d7fa24

Tested-by: <syzbot+a9a4bedfca6aa9d7fa24@syzkaller.appspotmail.com>
Fixes: afcb3369 ("Bluetooth: hci_event: Fix vendor (unknown) opcode status handling")
Signed-off-by: Raphael Pinsonneault-Thibeault <rpthibeault@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent e5763491

net/bluetooth/hci_event.c

+7 −0

Original line number	Diff line number	Diff line
		@@ -4218,6 +4218,13 @@ static void hci_cmd_complete_evt(struct hci_dev hdev, void data,
		}

		if (i == ARRAY_SIZE(hci_cc_table)) {
		if (!skb->len) {
		bt_dev_err(hdev, "Unexpected cc 0x%4.4x with no status",
		*opcode);
		*status = HCI_ERROR_UNSPECIFIED;
		return;
		}

		/* Unknown opcode, assume byte 0 contains the status, so
		* that e.g. __hci_cmd_sync() properly returns errors
		* for vendor specific commands send by HCI drivers.