[PW_SID:1108158] Bluetooth: L2CAP: validate connectionless PSM length by BluezTestBot · Pull Request #294 · bluez/bluetooth-next

BluezTestBot · 2026-06-09T01:33:19Z

Connectionless L2CAP frames carry a two-byte PSM at the start of the
payload. l2cap_recv_frame() currently reads that PSM unconditionally
after validating only the outer L2CAP length.

A malformed connectionless frame with a zero- or one-byte payload can
therefore make the parser read beyond the advertised skb payload and use
tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer
injected a one-byte connectionless payload and reached the unchecked
read.

Reject connectionless frames that cannot contain the PSM before reading
or pulling it. This preserves all valid connectionless frames while
dropping only structurally incomplete packets.

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius sam.moelius@trailofbits.com

net/bluetooth/l2cap_core.c | 5 +++++
1 file changed, 5 insertions(+)

Connectionless L2CAP frames carry a two-byte PSM at the start of the payload. l2cap_recv_frame() currently reads that PSM unconditionally after validating only the outer L2CAP length. A malformed connectionless frame with a zero- or one-byte payload can therefore make the parser read beyond the advertised skb payload and use tailroom bytes as part of the PSM. A VHCI-backed QEMU reproducer injected a one-byte connectionless payload and reached the unchecked read. Reject connectionless frames that cannot contain the PSM before reading or pulling it. This preserves all valid connectionless frames while dropping only structurally incomplete packets. Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius <sam.moelius@trailofbits.com>

github-actions · 2026-06-09T01:45:59Z

CheckPatch
Desc: Run checkpatch.pl script
Duration: 0.60 seconds
Result: PASS

github-actions · 2026-06-09T01:46:00Z

VerifyFixes
Desc: Verify Fixes tag format and validity
Duration: 0.09 seconds
Result: PASS

github-actions · 2026-06-09T01:46:02Z

VerifySignedoff
Desc: Verify Signed-off-by chain
Duration: 0.09 seconds
Result: PASS

github-actions · 2026-06-09T01:46:04Z

GitLint
Desc: Run gitlint
Duration: 0.25 seconds
Result: PASS

github-actions · 2026-06-09T01:46:06Z

SubjectPrefix
Desc: Check subject contains "Bluetooth" prefix
Duration: 0.11 seconds
Result: PASS

github-actions · 2026-06-09T01:46:39Z

BuildKernel
Desc: Build Kernel for Bluetooth
Duration: 27.18 seconds
Result: PASS

github-actions · 2026-06-09T01:47:13Z

CheckAllWarning
Desc: Run linux kernel with all warning enabled
Duration: 29.26 seconds
Result: PASS

github-actions · 2026-06-09T01:47:46Z

CheckSparse
Desc: Run sparse tool with linux kernel
Duration: 27.84 seconds
Result: PASS

github-actions · 2026-06-09T01:48:19Z

BuildKernel32
Desc: Build 32bit Kernel for Bluetooth
Duration: 26.17 seconds
Result: PASS

github-actions · 2026-06-09T01:57:59Z

TestRunnerSetup
Desc: Setup kernel and bluez for test-runner
Duration: 578.06 seconds
Result: PASS

github-actions · 2026-06-09T01:59:00Z

TestRunner_l2cap-tester
Desc: Run l2cap-tester with test-runner
Duration: 60.04 seconds
Result: PASS

github-actions · 2026-06-09T01:59:32Z

IncrementalBuild
Desc: Incremental build with the patches in the series
Duration: 25.60 seconds
Result: PASS

github-actions Bot added the area:l2cap label Jun 9, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PW_SID:1108158] Bluetooth: L2CAP: validate connectionless PSM length#294

[PW_SID:1108158] Bluetooth: L2CAP: validate connectionless PSM length#294
BluezTestBot wants to merge 1 commit into
workflowfrom
1108158

BluezTestBot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

BluezTestBot commented Jun 9, 2026

Assisted-by: Codex:gpt-5.5-cyber-preview Signed-off-by: Samuel Moelius sam.moelius@trailofbits.com

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

github-actions Bot commented Jun 9, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Assisted-by: Codex:gpt-5.5-cyber-preview
Signed-off-by: Samuel Moelius sam.moelius@trailofbits.com