Linux Kernel Bluetooth Management Layer Advertising Payload Length Validation Vulnerability

A vulnerability exists in the Linux kernel's Bluetooth management layer, specifically within the mesh sending functionality. The issue arises because the 'mesh_send' function does not properly validate the length of the advertising data payload before processing it. Although the function checks the total command length, it fails to ensure that the flexible 'adv_data' array matches the specified 'adv_data_len' field. This oversight can lead to a buffer overflow, as a truncated command may pass the initial length checks and then drive the asynchronous mesh sending process beyond the end of the queued command buffer. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability can cause a buffer overflow, potentially leading to arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, send a command to the Bluetooth management layer's mesh sending function with a truncated advertising data payload. The command should bypass the initial length checks but still drive the mesh sending process past the end of the command buffer, causing a buffer overflow.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.