lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1452054993-76111-1-git-send-email-wuninsu@gmail.com>
Date:	Tue,  5 Jan 2016 23:36:33 -0500
From:	Insu Yun <wuninsu@...il.com>
To:	marcel@...tmann.org, gustavo@...ovan.org, johan.hedberg@...il.com,
	davem@...emloft.net, peter@...leysoftware.com,
	jaganath.k@...sung.com, ying.xue@...driver.com,
	ebiederm@...ssion.com, linux-bluetooth@...r.kernel.org,
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:	taesoo@...ech.edu, yeongjin.jang@...ech.edu, insu@...ech.edu,
	changwoo@...ech.edu, Insu Yun <wuninsu@...il.com>
Subject: [PATCH] rfcomm: fix information leak in rfcomm_sock_bind

if addr_len < sizeof(sa), sa.rc_bdaddr(4bytes) can be leaked 
by using rfcomm_sock_getname()

Signed-off-by: Insu Yun <wuninsu@...il.com>
---
 net/bluetooth/rfcomm/sock.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7511df7..d61dfdc 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -336,14 +336,15 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
 {
 	struct sockaddr_rc sa;
 	struct sock *sk = sock->sk;
-	int len, err = 0;
+	int err = 0;
 
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
-	memset(&sa, 0, sizeof(sa));
-	len = min_t(unsigned int, sizeof(sa), addr_len);
-	memcpy(&sa, addr, len);
+	if (addr_len != sizeof(sa))
+		return -EINVAL;
+
+	memcpy(&sa, addr, addr_len);
 
 	BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
 
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ