[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130809191230.GE10130@kroah.com>
Date: Fri, 9 Aug 2013 12:12:30 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Johan Hedberg <johan.hedberg@...el.com>
Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
Jaganath Kanakkassery <jaganath.k@...sung.com>,
Chan-Yeol Park <chanyeol.park@...sung.com>,
Gustavo Padovan <gustavo.padovan@...labora.co.uk>
Subject: Re: [ 045/102] Bluetooth: Fix invalid length check in
l2cap_information_rsp()
On Fri, Aug 09, 2013 at 10:54:58AM +0300, Johan Hedberg wrote:
> Hi Greg,
>
> On Thu, Aug 08, 2013, Greg Kroah-Hartman wrote:
> > 3.10-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jaganath Kanakkassery <jaganath.k@...sung.com>
> >
> > commit da9910ac4a816b4340944c78d94c02a35527db46 upstream.
> >
> > The length check is invalid since the length varies with type of
> > info response.
> >
> > This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
> >
> > Because of this, l2cap info rsp is not handled and command reject is sent.
> >
> > > ACL data: handle 11 flags 0x02 dlen 16
> > L2CAP(s): Info rsp: type 2 result 0
> > Extended feature mask 0x00b8
> > Enhanced Retransmission mode
> > Streaming mode
> > FCS Option
> > Fixed Channels
> > < ACL data: handle 11 flags 0x00 dlen 10
> > L2CAP(s): Command rej: reason 0
> > Command not understood
> >
> > Signed-off-by: Jaganath Kanakkassery <jaganath.k@...sung.com>
> > Signed-off-by: Chan-Yeol Park <chanyeol.park@...sung.com>
> > Acked-by: Johan Hedberg <johan.hedberg@...el.com>
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> >
> > ---
> > net/bluetooth/l2cap_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -4240,7 +4240,7 @@ static inline int l2cap_disconnect_rsp(s
> > u16 dcid, scid;
> > struct l2cap_chan *chan;
> >
> > - if (cmd_len != sizeof(*rsp))
> > + if (cmd_len < sizeof(*rsp))
> > return -EPROTO;
> >
> > scid = __le16_to_cpu(rsp->scid);
>
> This patch is already in 3.10 so there should be no need to try to
> backport it (not to mention that this backport itself is incorrect in
> that it modifies l2cap_disconnect_rsp whereas the original patch
> modifies l2cap_information_rsp).
>
> For whatever reason this commit seems to exist twice in Linus' tree: once
> before the v3.10 tag with id 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 and
> once after the v3.10 tag with id da9910ac4a816b4340944c78d94c02a35527db46
> (which is the upstream commit id referenced by your commit message).
Thanks, this came into Linus's tree twice, I missed that. I've now
dropped this from the 3.10-stable queue.
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists