33 lines
1.5 KiB
Diff
33 lines
1.5 KiB
Diff
From: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
Date: Fri, 24 Jun 2011 12:38:05 +0000 (-0400)
|
|
Subject: Bluetooth: Prevent buffer overflow in l2cap config request
|
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fpadovan%2Fbluetooth-2.6.git;a=commitdiff_plain;h=7ac28817536797fd40e9646452183606f9e17f71
|
|
|
|
Bluetooth: Prevent buffer overflow in l2cap config request
|
|
[ backport to 2.6.38 ]
|
|
|
|
A remote user can provide a small value for the command size field in
|
|
the command header of an l2cap configuration request, resulting in an
|
|
integer underflow when subtracting the size of the configuration request
|
|
header. This results in copying a very large amount of data via
|
|
memcpy() and destroying the kernel heap. Check for underflow.
|
|
|
|
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
|
|
Cc: stable <stable@kernel.org>
|
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
---
|
|
|
|
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
|
|
index 56fdd91..7d8a66b 100644
|
|
--- a/net/bluetooth/l2cap.c
|
|
+++ b/net/bluetooth/l2cap.c
|
|
@@ -3116,7 +3116,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
|
|
|
|
/* Reject if config buffer is too small. */
|
|
len = cmd_len - sizeof(*req);
|
|
- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
|
+ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
|
|
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
|
|
l2cap_build_conf_rsp(sk, rsp,
|
|
L2CAP_CONF_REJECT, flags), rsp);
|