CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
This commit is contained in:
parent
bdfca38df2
commit
f77745ccf7
|
@ -0,0 +1,32 @@
|
|||
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Date: Fri, 24 Jun 2011 12:38:05 +0000 (-0400)
|
||||
Subject: Bluetooth: Prevent buffer overflow in l2cap config request
|
||||
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fpadovan%2Fbluetooth-2.6.git;a=commitdiff_plain;h=7ac28817536797fd40e9646452183606f9e17f71
|
||||
|
||||
Bluetooth: Prevent buffer overflow in l2cap config request
|
||||
[ backport to 2.6.35 ]
|
||||
|
||||
A remote user can provide a small value for the command size field in
|
||||
the command header of an l2cap configuration request, resulting in an
|
||||
integer underflow when subtracting the size of the configuration request
|
||||
header. This results in copying a very large amount of data via
|
||||
memcpy() and destroying the kernel heap. Check for underflow.
|
||||
|
||||
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
||||
Cc: stable <stable@kernel.org>
|
||||
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
||||
---
|
||||
|
||||
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
|
||||
index 56fdd91..7d8a66b 100644
|
||||
--- a/net/bluetooth/l2cap.c
|
||||
+++ b/net/bluetooth/l2cap.c
|
||||
@@ -2962,7 +2962,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
|
||||
|
||||
/* Reject if config buffer is too small. */
|
||||
len = cmd_len - sizeof(*req);
|
||||
- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
||||
+ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
||||
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
|
||||
l2cap_build_conf_rsp(sk, rsp,
|
||||
L2CAP_CONF_REJECT, flags), rsp);
|
|
@ -840,6 +840,8 @@ Patch14002: iwlwifi-add_ack_plpc_check-module-parameters.patch
|
|||
Patch14010: perf-tools-do-not-look-at-config-for-configuration.patch
|
||||
# CVE-2011-2695
|
||||
Patch14011: ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
|
||||
# CVE-2011-2497
|
||||
Patch14012: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
|
||||
%endif
|
||||
|
||||
|
@ -1580,6 +1582,8 @@ ApplyPatch iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch
|
|||
ApplyPatch perf-tools-do-not-look-at-config-for-configuration.patch
|
||||
# CVE-2011-2695
|
||||
ApplyPatch ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
|
||||
# CVE-2011-2497
|
||||
ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
|
||||
|
||||
# END OF PATCH APPLICATIONS
|
||||
|
||||
|
@ -2170,6 +2174,7 @@ fi
|
|||
* Mon Aug 15 2011 Chuck Ebbert <cebbert@redhat.com>
|
||||
- CVE-2011-2905: perf tools: may parse user-controlled configuration file
|
||||
- CVE-2011-2695: ext4: kernel panic when writing data to the last block of sparse file
|
||||
- CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
|
||||
|
||||
* Wed Aug 03 2011 Chuck Ebbert <cebbert@redhat.com> 2.6.35.14-94
|
||||
- Linux 2.6.35.14
|
||||
|
|
Loading…
Reference in New Issue