[PATCH v4] Bluetooth: btmtk: validate WMT event SKB length before struct access
patchwork-bot+bluetooth at kernel.org
patchwork-bot+bluetooth at kernel.org
Tue Apr 21 10:40:07 PDT 2026
Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz at intel.com>:
On Tue, 21 Apr 2026 11:14:54 +0000 you wrote:
> From: Tristan Madani <tristan at talencesecurity.com>
>
> btmtk_usb_hci_wmt_sync() casts the WMT event response SKB data to
> struct btmtk_hci_wmt_evt (7 bytes) and struct btmtk_hci_wmt_evt_funcc
> (9 bytes) without first checking that the SKB contains enough data.
> A short firmware response causes out-of-bounds reads from SKB tailroom.
>
> [...]
Here is the summary with links:
- [v4] Bluetooth: btmtk: validate WMT event SKB length before struct access
https://git.kernel.org/bluetooth/bluetooth-next/c/006b9943b982
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
More information about the Linux-mediatek
mailing list