diff options
| author |   Muhammad Bilal <meatuni001@gmail.com> | 2026-05-20 18:56:43 -0400 |
|---|---|---|
| committer |   Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2026-05-27 16:44:02 -0400 |
| commit | 2a3ac9ee11dbb9845f3947cef4a79dba658cf6f6 (patch) | |
| tree | 55564e488966e12b685920a91789a2df88f027d7 /include/linux/clk/ssh:/git@git.zx2c4.com | |
| parent | Bluetooth: L2CAP: use chan timer to close channels in cleanup_listen() (diff) | |
Bluetooth: HIDP: fix missing length checks in hidp_input_report()
hidp_input_report() reads keyboard and mouse payload data from an skb
without first verifying that skb->len contains enough data.
hidp_recv_intr_frame() pulls the 1-byte HIDP header before dispatching
to hidp_input_report(). If a paired device sends a truncated packet,
the handler reads beyond the valid skb data, resulting in an
out-of-bounds read of skb data. The OOB bytes may be interpreted as
phantom key presses or spurious mouse movement.
Replace the open-coded length tracking and pointer arithmetic with
skb_pull_data() calls. skb_pull_data() returns NULL if the requested
bytes are not present, eliminating the need for a manual size variable
and the separate skb->len guard.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Muhammad Bilal <meatuni001@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Diffstat (limited to 'include/linux/clk/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions