]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph-client.git/commit
projects / ceph-client.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 0ffac65) | patch
Bluetooth: MGMT: validate LTK enc_size on load
authorKeenan Dong <keenanat2000@gmail.com>
Sat, 28 Mar 2026 08:46:47 +0000 (16:46 +0800)
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Wed, 1 Apr 2026 20:46:09 +0000 (16:46 -0400)
commitb8dbe9648d69059cfe3a28917bfbf7e61efd7f15
treeb7000cbd11540ae24da409f381458521797ab0aatree | snapshot
parent0ffac654e95c1bdfe2d4edf28fb18d6ba1f103e6commit | diff
Bluetooth: MGMT: validate LTK enc_size on load

Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.

Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.

Fixes: 346af67b8d11 ("Bluetooth: Add MGMT handlers for dealing with SMP LTK's")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
net/bluetooth/mgmt.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.