[PATCH v2] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt

[PATCH v2] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt

[Soenke Huster]

This event is specified just for SCO and eSCO link types.
On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
of an existing LE connection, LE link type and a status that triggers the
second case of the packet processing a NULL pointer dereference happens,
as conn->link is NULL.

Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
---
v2: Fixed the obviously wrong boolean comparison

I found this null pointer dereference while fuzzing bluetooth-next.
On the described behaviour, a null ptr deref in line 4723 happens, as
conn->link is NULL. According to the Core spec, Link_Type must be SCO or eSCO,
all other values are reserved for future use. Checking that mitigates a null
pointer dereference.

 net/bluetooth/hci_event.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 05997dff5666..d68f5640fb38 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4661,6 +4661,11 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
 	struct hci_ev_sync_conn_complete *ev = data;
 	struct hci_conn *conn;
 
+	if (!(ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK)) {
+		bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
+		return;
+	}
+
 	bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
 
 	hci_dev_lock(hdev);
-- 
2.34.1

Re: [PATCH v2] Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt

[Luiz Augusto von Dentz]

Hi Soenke,

On Thu, Jan 13, 2022 at 8:41 AM Soenke Huster <soenke.huster@eknoes.de> wrote:
>
> This event is specified just for SCO and eSCO link types.
> On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR
> of an existing LE connection, LE link type and a status that triggers the
> second case of the packet processing a NULL pointer dereference happens,
> as conn->link is NULL.
>
> Signed-off-by: Soenke Huster <soenke.huster@eknoes.de>
> ---
> v2: Fixed the obviously wrong boolean comparison
>
> I found this null pointer dereference while fuzzing bluetooth-next.
> On the described behaviour, a null ptr deref in line 4723 happens, as
> conn->link is NULL. According to the Core spec, Link_Type must be SCO or eSCO,
> all other values are reserved for future use. Checking that mitigates a null
> pointer dereference.
>
>  net/bluetooth/hci_event.c | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
> index 05997dff5666..d68f5640fb38 100644
> --- a/net/bluetooth/hci_event.c
> +++ b/net/bluetooth/hci_event.c
> @@ -4661,6 +4661,11 @@ static void hci_sync_conn_complete_evt(struct hci_dev *hdev, void *data,
>         struct hci_ev_sync_conn_complete *ev = data;
>         struct hci_conn *conn;
>
> +       if (!(ev->link_type == SCO_LINK || ev->link_type == ESCO_LINK)) {
> +               bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
> +               return;
> +       }

I rather have this as a switch statement:

switch (ev->link_type)
case SCO_LINK:
case ESCO_LINK:
  break;
default:
  /* Add comment where the spec states this is invalid */
  bt_dev_err(hdev, "Ignoring connect complete event for invalid link type");
  return;

>         bt_dev_dbg(hdev, "status 0x%2.2x", ev->status);
>
>         hci_dev_lock(hdev);
> --
> 2.34.1
>


-- 
Luiz Augusto von Dentz