From 147de4f8e71463bd98e5e5ff215e6bc77c223e92 Mon Sep 17 00:00:00 2001
From: Keenan Dong <keenanat2000@gmail.com>
Date: Sat, 28 Mar 2026 16:46:47 +0800
Subject: [PATCH] Bluetooth: MGMT: validate LTK enc_size on load

ANBZ: #34360

commit 0f37d1e65c6d71ad94ccfb5c602163c525db789d stable.

commit b8dbe9648d69059cfe3a28917bfbf7e61efd7f15 upstream.

Load Long Term Keys stores the user-provided enc_size and later uses
it to size fixed-size stack operations when replying to LE LTK
requests. An enc_size larger than the 16-byte key buffer can therefore
overflow the reply stack buffer.

Reject oversized enc_size values while validating the management LTK
record so invalid keys never reach the stored key state.

Fixes: 346af67b8d11 ("Bluetooth: Add MGMT handlers for dealing with SMP LTK's")
Reported-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

Fixes: CVE-2026-43020
Assisted-by: PatchPilot <patchpilot@openanolis.org>
Signed-off-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
---
 net/bluetooth/mgmt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 878bf7382244..72a683938593 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -5942,6 +5942,9 @@ static bool ltk_is_valid(struct mgmt_ltk_info *key)
 	if (key->master != 0x00 && key->master != 0x01)
 		return false;
 
+	if (key->enc_size > sizeof(key->val))
+		return false;
+
 	switch (key->addr.type) {
 	case BDADDR_LE_PUBLIC:
 		return true;
-- 
Gitee