lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130809191230.GE10130@kroah.com>
Date:	Fri, 9 Aug 2013 12:12:30 -0700
From:	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To:	Johan Hedberg <johan.hedberg@...el.com>
Cc:	linux-kernel@...r.kernel.org, stable@...r.kernel.org,
	Jaganath Kanakkassery <jaganath.k@...sung.com>,
	Chan-Yeol Park <chanyeol.park@...sung.com>,
	Gustavo Padovan <gustavo.padovan@...labora.co.uk>
Subject: Re: [ 045/102] Bluetooth: Fix invalid length check in
 l2cap_information_rsp()

On Fri, Aug 09, 2013 at 10:54:58AM +0300, Johan Hedberg wrote:
> Hi Greg,
> 
> On Thu, Aug 08, 2013, Greg Kroah-Hartman wrote:
> > 3.10-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Jaganath Kanakkassery <jaganath.k@...sung.com>
> > 
> > commit da9910ac4a816b4340944c78d94c02a35527db46 upstream.
> > 
> > The length check is invalid since the length varies with type of
> > info response.
> > 
> > This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
> > 
> > Because of this, l2cap info rsp is not handled and command reject is sent.
> > 
> > > ACL data: handle 11 flags 0x02 dlen 16
> >         L2CAP(s): Info rsp: type 2 result 0
> >           Extended feature mask 0x00b8
> >             Enhanced Retransmission mode
> >             Streaming mode
> >             FCS Option
> >             Fixed Channels
> > < ACL data: handle 11 flags 0x00 dlen 10
> >         L2CAP(s): Command rej: reason 0
> >           Command not understood
> > 
> > Signed-off-by: Jaganath Kanakkassery <jaganath.k@...sung.com>
> > Signed-off-by: Chan-Yeol Park <chanyeol.park@...sung.com>
> > Acked-by: Johan Hedberg <johan.hedberg@...el.com>
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> > 
> > ---
> >  net/bluetooth/l2cap_core.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -4240,7 +4240,7 @@ static inline int l2cap_disconnect_rsp(s
> >  	u16 dcid, scid;
> >  	struct l2cap_chan *chan;
> >  
> > -	if (cmd_len != sizeof(*rsp))
> > +	if (cmd_len < sizeof(*rsp))
> >  		return -EPROTO;
> >  
> >  	scid = __le16_to_cpu(rsp->scid);
> 
> This patch is already in 3.10 so there should be no need to try to
> backport it (not to mention that this backport itself is incorrect in
> that it modifies l2cap_disconnect_rsp whereas the original patch
> modifies l2cap_information_rsp).
> 
> For whatever reason this commit seems to exist twice in Linus' tree: once
> before the v3.10 tag with id 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 and
> once after the v3.10 tag with id da9910ac4a816b4340944c78d94c02a35527db46
> (which is the upstream commit id referenced by your commit message).

Thanks, this came into Linus's tree twice, I missed that.  I've now
dropped this from the 3.10-stable queue.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ