[PW_SID:1108156] Bluetooth: hci: validate codec capability element length

[BluezTestBot]

Read Local Codec Capabilities returns a sequence of capability elements.
Each element starts with a one-byte length followed by that many payload
bytes.

hci_read_codec_capabilities() checks that the skb contains the length
byte, but then validates only caps->len against the remaining skb
length. A malformed controller response with one remaining byte and
caps->len set to one passes that check even though the element needs two
bytes. The parser then records a two-byte capability and copies one
byte beyond the advertised response payload into the codec list.

Validate the full element size, including the length byte, before adding
it to the accumulated capability length. This preserves all well-formed
capability elements and drops only truncated controller responses.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius sam.moelius@trailofbits.com

net/bluetooth/hci_codec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

[github-actions]

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.61 seconds
Result: PASS

[github-actions]

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.08 seconds
Result: PASS

[github-actions]

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.07 seconds
Result: PASS

[github-actions]

GitLint
Desc: Run gitlint
Duration: 0.21 seconds
Result: PASS

[github-actions]

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.07 seconds
Result: PASS

[github-actions]

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 26.58 seconds
Result: PASS

[github-actions]

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.53 seconds
Result: PASS

[github-actions]

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 28.04 seconds
Result: PASS

[github-actions]

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 25.93 seconds
Result: PASS

[github-actions]

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 577.06 seconds
Result: PASS

[github-actions]

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 60.65 seconds
Result: PASS

[github-actions]

TestRunner_iso-tester
Desc: Run iso-tester with test-runner
Duration: 78.61 seconds
Result: PASS

[github-actions]

TestRunner_bnep-tester
Desc: Run bnep-tester with test-runner
Duration: 19.09 seconds
Result: PASS

[github-actions]

TestRunner_mgmt-tester
Desc: Run mgmt-tester with test-runner
Duration: 216.08 seconds
Result: FAIL
Output:

Total: 494, Passed: 489 (99.0%), Failed: 1, Not Run: 4

Failed Test Cases
Read Exp Feature - Success                           Failed       0.249 seconds

[github-actions]

TestRunner_rfcomm-tester
Desc: Run rfcomm-tester with test-runner
Duration: 26.05 seconds
Result: PASS

[github-actions]

TestRunner_sco-tester
Desc: Run sco-tester with test-runner
Duration: 32.97 seconds
Result: PASS

[github-actions]

TestRunner_ioctl-tester
Desc: Run ioctl-tester with test-runner
Duration: 26.16 seconds
Result: PASS

[github-actions]

TestRunner_mesh-tester
Desc: Run mesh-tester with test-runner
Duration: 25.86 seconds
Result: FAIL
Output:

Total: 10, Passed: 8 (80.0%), Failed: 2, Not Run: 0

Failed Test Cases
Mesh - Send cancel - 1                               Timed out    2.188 seconds
Mesh - Send cancel - 2                               Timed out    1.989 seconds

[github-actions]

TestRunner_smp-tester
Desc: Run smp-tester with test-runner
Duration: 23.83 seconds
Result: PASS

[github-actions]

TestRunner_userchan-tester
Desc: Run userchan-tester with test-runner
Duration: 20.28 seconds
Result: PASS

[github-actions]

TestRunner_6lowpan-tester
Desc: Run 6lowpan-tester with test-runner
Duration: 22.87 seconds
Result: PASS

[github-actions]

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 25.00 seconds
Result: PASS