CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841)

bluetooth-Validate-socket-address-length-in-sco_sock.patch

@@ -0,0 +1,27 @@
+From 5233252fce714053f0151680933571a2da9cbfb4 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 15 Dec 2015 15:39:08 -0500
+Subject: [PATCH] bluetooth: Validate socket address length in sco_sock_bind().
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/bluetooth/sco.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c
+index fe129663bd3f..f52bcbf2e58c 100644
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -526,6 +526,9 @@ static int sco_sock_bind(struct socket *sock, struct sockaddr *addr,
+ 	if (!addr || addr->sa_family != AF_BLUETOOTH)
+ 		return -EINVAL;
+ 
++	if (addr_len < sizeof(struct sockaddr_sco))
++		return -EINVAL;
++
+ 	lock_sock(sk);
+ 
+ 	if (sk->sk_state != BT_OPEN) {
+-- 
+2.5.0
+

kernel.spec

@@ -642,6 +642,9 @@ Patch600: pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
 
 Patch601: vrf-fix-memory-leak-on-registration.patch
 
+#CVE-2015-8575 rhbz 1292840 1292841
+Patch602: bluetooth-Validate-socket-address-length-in-sco_sock.patch
+
 # END OF PATCH DEFINITIONS
 
 %endif
@@ -2085,6 +2088,9 @@ fi
 #
 # 
 %changelog
+* Fri Dec 18 2015 Josh Boyer <jwboyer@fedoraproject.org>
+- CVE-2015-8575 information leak in sco_sock_bind (rhbz 1292840 1292841)
+
 * Thu Dec 17 2015 Justin M. Forbes <jforbes@fedoraproject.org>
 - Fix for memory leak in vrf