lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130809075458.GA8758@x220.p-661hnu-f1>
Date:	Fri, 9 Aug 2013 10:54:58 +0300
From:	Johan Hedberg <johan.hedberg@...el.com>
To:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	Jaganath Kanakkassery <jaganath.k@...sung.com>,
	Chan-Yeol Park <chanyeol.park@...sung.com>,
	Gustavo Padovan <gustavo.padovan@...labora.co.uk>
Subject: Re: [ 045/102] Bluetooth: Fix invalid length check in
 l2cap_information_rsp()

Hi Greg,

On Thu, Aug 08, 2013, Greg Kroah-Hartman wrote:
> 3.10-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Jaganath Kanakkassery <jaganath.k@...sung.com>
> 
> commit da9910ac4a816b4340944c78d94c02a35527db46 upstream.
> 
> The length check is invalid since the length varies with type of
> info response.
> 
> This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
> 
> Because of this, l2cap info rsp is not handled and command reject is sent.
> 
> > ACL data: handle 11 flags 0x02 dlen 16
>         L2CAP(s): Info rsp: type 2 result 0
>           Extended feature mask 0x00b8
>             Enhanced Retransmission mode
>             Streaming mode
>             FCS Option
>             Fixed Channels
> < ACL data: handle 11 flags 0x00 dlen 10
>         L2CAP(s): Command rej: reason 0
>           Command not understood
> 
> Signed-off-by: Jaganath Kanakkassery <jaganath.k@...sung.com>
> Signed-off-by: Chan-Yeol Park <chanyeol.park@...sung.com>
> Acked-by: Johan Hedberg <johan.hedberg@...el.com>
> Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> ---
>  net/bluetooth/l2cap_core.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -4240,7 +4240,7 @@ static inline int l2cap_disconnect_rsp(s
>  	u16 dcid, scid;
>  	struct l2cap_chan *chan;
>  
> -	if (cmd_len != sizeof(*rsp))
> +	if (cmd_len < sizeof(*rsp))
>  		return -EPROTO;
>  
>  	scid = __le16_to_cpu(rsp->scid);

This patch is already in 3.10 so there should be no need to try to
backport it (not to mention that this backport itself is incorrect in
that it modifies l2cap_disconnect_rsp whereas the original patch
modifies l2cap_information_rsp).

For whatever reason this commit seems to exist twice in Linus' tree: once
before the v3.10 tag with id 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 and
once after the v3.10 tag with id da9910ac4a816b4340944c78d94c02a35527db46
(which is the upstream commit id referenced by your commit message).

Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ