| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1509571159-4405-8-git-send-email-w@1wt.eu>
Date: Wed, 1 Nov 2017 22:17:07 +0100
From: Willy Tarreau <w@....eu>
To: linux-kernel@...r.kernel.org, stable@...r.kernel.org,
linux@...ck-us.net
Cc: Al Viro <viro@...iv.linux.org.uk>,
Marcel Holtmann <marcel@...tmann.org>, Willy Tarreau <w@....eu>
Subject: [PATCH 3.10 007/139] Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
From: Al Viro <viro@...iv.linux.org.uk>
commit 96c26653ce65bf84f3212f8b00d4316c1efcbf4c upstream.
... rather than relying on ciptool(8) never passing it anything else. Give
it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Signed-off-by: Al Viro <viro@...iv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@...tmann.org>
Signed-off-by: Willy Tarreau <w@....eu>
---
net/bluetooth/cmtp/core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c
index e0a6ebf..84460f6 100644
--- a/net/bluetooth/cmtp/core.c
+++ b/net/bluetooth/cmtp/core.c
@@ -334,6 +334,9 @@ int cmtp_add_connection(struct cmtp_connadd_req *req, struct socket *sock)
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
session = kzalloc(sizeof(struct cmtp_session), GFP_KERNEL);
if (!session)
return -ENOMEM;
--
2.8.0.rc2.1.gbe9624a
Powered by blists - more mailing lists