lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1428569224-23820-162-git-send-email-lizf@kernel.org>
Date:	Thu,  9 Apr 2015 16:46:50 +0800
From:	lizf@...nel.org
To:	stable@...r.kernel.org
Cc:	linux-kernel@...r.kernel.org,
	Tim Niemeyer <tim.niemeyer@...science.de>,
	Jaganath Kanakkassery <jaganath.k@...sung.com>,
	Chan-Yeol Park <chanyeol.park@...sung.com>,
	Gustavo Padovan <gustavo.padovan@...labora.co.uk>,
	Jianguo Wu <wujianguo@...wei.com>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Zefan Li <lizefan@...wei.com>
Subject: [PATCH 3.4 162/176] Bluetooth: Fix invalid length check in l2cap_information_rsp()

From: Tim Niemeyer <tim.niemeyer@...science.de>

3.4.107-rc1 review patch.  If anyone has any objections, please let me know.

------------------


first backport commit 6ec88fcb4aa2c33fe2fe2a23c576a7e2581c5c3d changes
l2cap_move_channel_confirm_rsp and not the l2cap_information_rsp. So
revert this and fix at the correct position.

commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream.

The length check is invalid since the length varies with type of
info response.

This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888

Because of this, l2cap info rsp is not handled and command reject is sent.

> ACL data: handle 11 flags 0x02 dlen 16
        L2CAP(s): Info rsp: type 2 result 0
          Extended feature mask 0x00b8
            Enhanced Retransmission mode
            Streaming mode
            FCS Option
            Fixed Channels
< ACL data: handle 11 flags 0x00 dlen 10
        L2CAP(s): Command rej: reason 0
          Command not understood

Signed-off-by: Jaganath Kanakkassery <jaganath.k@...sung.com>
Signed-off-by: Chan-Yeol Park <chanyeol.park@...sung.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
Cc: Jianguo Wu <wujianguo@...wei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Signed-off-by: Tim Niemeyer <tim.niemeyer@...science.de>
Acked-by: Johan Hedberg <johan.hedberg@...el.com>
Signed-off-by: Zefan Li <lizefan@...wei.com>
---
 net/bluetooth/l2cap_core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 3bb535b..c11fd9e 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3239,7 +3239,7 @@ static inline int l2cap_information_rsp(struct l2cap_conn *conn,
 	struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
 	u16 type, result;
 
-	if (cmd_len != sizeof(*rsp))
+	if (cmd_len < sizeof(*rsp))
 		return -EPROTO;
 
 	type   = __le16_to_cpu(rsp->type);
@@ -3445,7 +3445,7 @@ static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn,
 	struct l2cap_move_chan_cfm_rsp *rsp = data;
 	u16 icid;
 
-	if (cmd_len < sizeof(*rsp))
+	if (cmd_len != sizeof(*rsp))
 		return -EPROTO;
 
 	icid = le16_to_cpu(rsp->icid);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ