| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 9 Aug 2013 12:12:30 -0700 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Johan Hedberg <johan.hedberg@...el.com> Cc: linux-kernel@...r.kernel.org, stable@...r.kernel.org, Jaganath Kanakkassery <jaganath.k@...sung.com>, Chan-Yeol Park <chanyeol.park@...sung.com>, Gustavo Padovan <gustavo.padovan@...labora.co.uk> Subject: Re: [ 045/102] Bluetooth: Fix invalid length check in l2cap_information_rsp() On Fri, Aug 09, 2013 at 10:54:58AM +0300, Johan Hedberg wrote: > Hi Greg, > > On Thu, Aug 08, 2013, Greg Kroah-Hartman wrote: > > 3.10-stable review patch. If anyone has any objections, please let me know. > > > > ------------------ > > > > From: Jaganath Kanakkassery <jaganath.k@...sung.com> > > > > commit da9910ac4a816b4340944c78d94c02a35527db46 upstream. > > > > The length check is invalid since the length varies with type of > > info response. > > > > This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 > > > > Because of this, l2cap info rsp is not handled and command reject is sent. > > > > > ACL data: handle 11 flags 0x02 dlen 16 > > L2CAP(s): Info rsp: type 2 result 0 > > Extended feature mask 0x00b8 > > Enhanced Retransmission mode > > Streaming mode > > FCS Option > > Fixed Channels > > < ACL data: handle 11 flags 0x00 dlen 10 > > L2CAP(s): Command rej: reason 0 > > Command not understood > > > > Signed-off-by: Jaganath Kanakkassery <jaganath.k@...sung.com> > > Signed-off-by: Chan-Yeol Park <chanyeol.park@...sung.com> > > Acked-by: Johan Hedberg <johan.hedberg@...el.com> > > Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk> > > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> > > > > --- > > net/bluetooth/l2cap_core.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > --- a/net/bluetooth/l2cap_core.c > > +++ b/net/bluetooth/l2cap_core.c > > @@ -4240,7 +4240,7 @@ static inline int l2cap_disconnect_rsp(s > > u16 dcid, scid; > > struct l2cap_chan *chan; > > > > - if (cmd_len != sizeof(*rsp)) > > + if (cmd_len < sizeof(*rsp)) > > return -EPROTO; > > > > scid = __le16_to_cpu(rsp->scid); > > This patch is already in 3.10 so there should be no need to try to > backport it (not to mention that this backport itself is incorrect in > that it modifies l2cap_disconnect_rsp whereas the original patch > modifies l2cap_information_rsp). > > For whatever reason this commit seems to exist twice in Linus' tree: once > before the v3.10 tag with id 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 and > once after the v3.10 tag with id da9910ac4a816b4340944c78d94c02a35527db46 > (which is the upstream commit id referenced by your commit message). Thanks, this came into Linus's tree twice, I missed that. I've now dropped this from the 3.10-stable queue. greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists