Pauli Virtanen e8785404de Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete ... There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pending_free, and also report status on error. Fixes: 302a1f674c ("Bluetooth: MGMT: Fix possible UAFs") Signed-off-by: Pauli Virtanen <pav@iki.fi> Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>		2025-10-24 10:21:37 -04:00
..
bluetooth.h	Bluetooth: Add function and line information to bt_dbg	2025-09-27 11:37:01 -04:00
coredump.h	Bluetooth: Add support for hci devcoredump	2023-04-23 21:57:59 -07:00
hci.h	Bluetooth: HCI: Fix tracking of advertisement set/instance 0x00	2025-10-24 10:21:07 -04:00
hci_core.h	Bluetooth: hci_core: Detect if an ISO link has stalled	2025-09-27 11:37:01 -04:00
hci_drv.h	Bluetooth: Annotate struct hci_drv_rp_read_info with __counted_by_le()	2025-09-27 11:37:00 -04:00
hci_mon.h	Bluetooth: Introduce HCI Driver protocol	2025-05-21 10:28:07 -04:00
hci_sock.h	Bluetooth: hci_core: Prefer struct_size over open coded arithmetic	2024-07-14 21:33:29 -04:00
hci_sync.h	Bluetooth: hci_sync: fix set_local_name race condition	2025-08-22 13:57:31 -04:00
iso.h	Bluetooth: ISO: Add broadcast support	2022-07-22 17:14:13 -07:00
l2cap.h	Bluetooth: L2CAP: add TX timestamping	2025-03-25 12:50:35 -04:00
mgmt.h	Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete	2025-10-24 10:21:37 -04:00
rfcomm.h	tty: rfcomm: prefer struct_size over open coded arithmetic	2024-07-14 21:33:31 -04:00
sco.h	Bluetooth: af_bluetooth: Make BT_PKT_STATUS generic	2023-08-11 11:49:16 -07:00