MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-12-22 10:40:43 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
d5dc97879a
linux-yocto/net
History
Pauli Virtanen 5c19daa93d Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete 
commit e8785404de upstream.

There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to
memcpy from badly declared on-stack flexible array.

Another crash is in set_mesh_complete() due to double list_del via
mgmt_pending_valid + mgmt_pending_remove.

Use DEFINE_FLEX to declare the flexible array right, and don't memcpy
outside bounds.

As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free,
and also report status on error.

Fixes: 302a1f674c ("Bluetooth: MGMT: Fix possible UAFs")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2025-11-24 10:36:08 +01:00
..
6lowpan
9p 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN 2025-11-13 15:34:34 -05:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-17 13:40:37 +01:00
8021q net: vlan: sync VLAN features with lower device 2025-11-13 15:34:37 -05:00
appletalk net: appletalk: Fix use-after-free in AARP proxy probe 2025-08-01 09:48:41 +01:00
atm net: atm: fix memory leak in atm_register_sysfs when device_register fail 2025-09-09 18:58:13 +02:00
ax25 ax25: properly unshare skbs in ax25_kiss_rcv() 2025-09-09 18:58:13 +02:00
batman-adv batman-adv: fix OOB read/write in network-coding decode 2025-09-09 18:58:18 +02:00
bluetooth Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete 2025-11-24 10:36:08 +01:00
bpf bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() 2025-02-27 04:30:18 -08:00
bridge net: bridge: fix MST static key usage 2025-11-13 15:34:39 -05:00
caif caif: reduce stack size, again 2025-08-15 12:13:40 +02:00
can can: j1939: j1939_local_ecu_get(): undo increment when j1939_local_ecu_get() fails 2025-09-19 16:35:49 +02:00
ceph libceph: fix invalid accesses to ceph_connection_v1_info 2025-09-19 16:35:47 +02:00
core net: netpoll: ensure skb_pool list is always initialized 2025-11-24 10:36:08 +01:00
dcb
dccp dccp: Fix memory leak in dccp_feat_change_recv 2024-12-14 20:03:05 +01:00
devlink devlink: fix xa_alloc_cyclic() error handling 2025-03-28 22:03:27 +01:00
dns_resolver
dsa net: dsa: tag_brcm: legacy: fix untagged rx on unbridged ports for bcm63xx 2025-11-13 15:34:37 -05:00
ethernet ethernet: Extend device_get_mac_address() to use NVMEM 2025-11-13 15:34:25 -05:00
ethtool ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() 2025-04-25 10:47:43 +02:00
handshake net/handshake: Fix memory leak in tls_handshake_accept() 2025-11-24 10:35:50 +01:00
hsr hsr: Fix supervision frame sending on HSRv0 2025-11-24 10:35:52 +01:00
ieee802154 net: ieee802154: do not leave a dangling sk pointer in ieee802154_create() 2024-12-14 20:03:47 +01:00
ife
ipv4 ipv4: route: Prevent rt_bind_exception() from rebinding stale fnhe 2025-11-24 10:36:00 +01:00
ipv6 ipv6: np->rxpmtu race annotation 2025-11-13 15:34:27 -05:00
iucv
kcm net: kcm: Fix race condition in kcm_unattach() 2025-08-20 18:30:18 +02:00
key xfrm: Add support for per cpu xfrm state handling. 2025-02-08 09:58:00 +01:00
l2tp l2tp: do not use sock_hold() in pppol2tp_session_get_sock() 2025-09-04 15:31:51 +02:00
l3mdev
lapb
llc llc: fix data loss when reading from a socket in llc_ui_recvmsg() 2025-05-29 11:03:20 +02:00
mac80211 wifi: mac80211: use wiphy_hrtimer_work for csa.switch_work 2025-11-24 10:36:05 +01:00
mac802154 mac802154: check local interfaces before deleting sdata list 2025-01-23 17:22:54 +01:00
mctp mctp: return -ENOPROTOOPT for unknown getsockopt options 2025-09-09 18:58:13 +02:00
mpls mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). 2025-06-27 11:11:43 +01:00
mptcp mptcp: fix MSG_PEEK stream corruption 2025-11-24 10:36:05 +01:00
ncsi net: ncsi: Fix buffer overflow in fetching version id 2025-08-20 18:30:38 +02:00
netfilter netfilter: nf_tables: reject duplicate device on updates 2025-11-24 10:35:57 +01:00
netlabel calipso: unlock rcu before returning -EAFNOSUPPORT 2025-06-19 15:32:37 +02:00
netlink genetlink: fix genl_bind() invoking bind() after -EPERM 2025-09-19 16:35:48 +02:00
netrom netrom: check buffer length before accessing it 2025-01-09 13:33:38 +01:00
nfc net: nfc: nci: Add parameter validation for packet data 2025-10-15 12:00:21 +02:00
nsh
openvswitch net: openvswitch: Fix the dead loop of MPLS parse 2025-06-19 15:31:55 +02:00
packet net/packet: fix a race in packet_set_ring() and packet_notifier() 2025-08-15 12:14:09 +02:00
phonet phonet/pep: Move call to pn_skb_get_dst_sockaddr() earlier in pep_sock_accept() 2025-07-24 08:56:24 +02:00
psample psample: adjust size if rate_as_probability is set 2024-12-27 14:02:06 +01:00
qrtr
rds rds: Fix endianness annotation for RDS_MPATH_HASH 2025-11-13 15:34:15 -05:00
rfkill net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer 2025-09-25 11:13:47 +02:00
rose net: rose: fix a typo in rose_clear_routes() 2025-09-04 15:31:55 +02:00
rxrpc rxrpc: Fix transmission of an abort in response to an abort 2025-07-24 08:56:35 +02:00
sched bpf: Add bpf_prog_run_data_pointers() 2025-11-24 10:35:55 +01:00
sctp sctp: prevent possible shift-out-of-bounds in sctp_transport_update_rto 2025-11-24 10:35:50 +01:00
smc net/smc: fix mismatch between CLC header and proposal 2025-11-24 10:35:50 +01:00
strparser strparser: Fix signed/unsigned mismatch bug 2025-11-24 10:35:59 +01:00
sunrpc nfsd: unregister with rpcbind when deleting a transport 2025-10-19 16:34:03 +02:00
switchdev net: switchdev: Convert blocking notification chain to a raw one 2025-03-22 12:54:12 -07:00
tipc tipc: Fix use-after-free in tipc_mon_reinit_self(). 2025-11-24 10:35:51 +01:00
tls tls: don't rely on tx_work during send() 2025-10-23 16:20:31 +02:00
unix af_unix: Initialise scc_index in unix_add_edge(). 2025-11-24 10:35:51 +01:00
vmw_vsock vsock: fix lock inversion in vsock_assign_transport() 2025-10-29 14:08:57 +01:00
wireless wifi: cfg80211: add an hrtimer based delayed work item 2025-11-24 10:36:05 +01:00
x25
xdp xsk: Harden userspace-supplied xdp_desc validation 2025-10-19 16:33:53 +02:00
xfrm xfrm: xfrm_alloc_spi shouldn't use 0 as SPI 2025-10-02 13:44:09 +02:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile
socket.c
sysctl_net.c