git/linux-net
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/ synced 2026-04-03 23:37:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Bluetooth: MGMT: validate LTK enc_size on load

Browse Source 
Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.

Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.

Fixes: 346af67b8d ("Bluetooth: Add MGMT handlers for dealing with SMP LTK's")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Keenan Dong
2026-03-28 16:46:47 +08:00
committed by Luiz Augusto von Dentz
parent 0ffac654e9
commit b8dbe9648d
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
net/bluetooth/mgmt.c
View File

@@ -7248,6 +7248,9 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key)
if (key->initiator != 0x00 && key->initiator != 0x01)
return false;
if (key->enc_size > sizeof(key->val))
return false;
switch (key->addr.type) {
case BDADDR_LE_PUBLIC:
return true;