Commit 8f59d17b authored Apr 23, 2026 by Pengpeng Hou Committed by Luiz Augusto von Dentz May 06, 2026

Bluetooth: RFCOMM: pull credit byte with skb_pull_data()



rfcomm_recv_data() treats the first payload byte as a credit field when
the UIH frame carries PF and credit-based flow control is enabled.

After the header has been stripped, the PF/CFC path consumes that byte
with a direct skb->data dereference followed by skb_pull(). A malformed
short frame can reach this path without a byte available.

Use skb_pull_data() so the length check and pull happen together before
the returned credit byte is consumed.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

parent daf23014

net/bluetooth/rfcomm/core.c

+5 −2

Original line number	Diff line number	Diff line
		@@ -1715,9 +1715,12 @@ static int rfcomm_recv_data(struct rfcomm_session *s, u8 dlci, int pf, struct sk
		}

		if (pf && d->cfc) {
		u8 credits = (u8 ) skb->data; skb_pull(skb, 1);
		u8 *credits = skb_pull_data(skb, 1);

		d->tx_credits += credits;
		if (!credits)
		goto drop;

		d->tx_credits += *credits;
		if (d->tx_credits)
		clear_bit(RFCOMM_TX_THROTTLED, &d->flags);
		}