Description
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: validate mesh send advertising payload length mesh_send() currently bounds MGMT_OP_MESH_SEND by total command length, but it never verifies that the bytes supplied for the flexible adv_data[] array actually match the embedded adv_data_len field. MGMT_MESH_SEND_SIZE only covers the fixed header, so a truncated command can still pass the existing 20..50 byte range check and later drive the async mesh send path past the end of the queued command buffer. Keep rejecting zero-length and oversized advertising payloads, but validate adv_data_len explicitly and require the command length to exactly match the flexible array size before queueing the request.
Product status
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before 24fa32369cf15d8fc918bdfe94097b12e6acada0
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before 244b639e6a3a8e26241e201004a3a9f764476631
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before 0b706fb2294aff3adfd54653bda1b5e356ad4566
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before edb5898cfa91afe7e8f83eda18d93034c953d632
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before 562ed1954f0c1bff3422b7b752bd3dacf185edbf
b338d91703fae6f6afd67f3f75caa3b8f36ddef3 (git) before bda93eec78cdbfe5cda00785cefebd443e56b88b
6.1
Any version before 6.1
6.1.168 (semver)
6.6.134 (semver)
6.12.81 (semver)
6.18.22 (semver)
6.19.12 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/24fa32369cf15d8fc918bdfe94097b12e6acada0
git.kernel.org/...c/244b639e6a3a8e26241e201004a3a9f764476631
git.kernel.org/...c/0b706fb2294aff3adfd54653bda1b5e356ad4566
git.kernel.org/...c/edb5898cfa91afe7e8f83eda18d93034c953d632
git.kernel.org/...c/562ed1954f0c1bff3422b7b752bd3dacf185edbf
git.kernel.org/...c/bda93eec78cdbfe5cda00785cefebd443e56b88b