Hi All, Our fuzzing tool found a possible bug when testing Bluetooth RFCOMM connection: (1) A 'Flush Occurred' HCI_EVT packet with incorrect 'parameter_total_length' field and parameters was maliciously sent to the host (hexadecimal content: '11 3D C4 02 62 D1'). (2) Because 'hci_ev_table'(/net/bluetooth/hci_event.c: 7514) does not include 'Flush Occurred' event, the function hci_event_func(/net/bluetooth/hci_event.c: 7644) doesn't check the 'parameter_total_length' field of this packet. (3) When the controller transmits additional HCI packets to the host, these packets are concatenated to the previously mentioned Flush Occurred packet. This results in the packets being disregarded by the host. Attachment 1 [details] is Kernel Log, which includes the printed HCI packet interactions between the host and controller. All HCI packets following the line mentioned below are ignored by the host: ''' [ 1555.520646] <- [EVT] 11 3D C4 02 62 D1 ''' Attachment 2 [details] contains packet captures from tshark. It remains unclear whether this behavior constitutes a bug or a feature. We apologize if this inquiry causes any offense. Thank you very much for taking the time to read. Best Regard, Yuxuan Hu.
Created attachment 306328 [details] Kernel Log including HCI packets
Created attachment 306329 [details] TShark pcap file