| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20240501123456.6712-3-johan+linaro@kernel.org>
Date: Wed, 1 May 2024 14:34:53 +0200
From: Johan Hovold <johan+linaro@...nel.org>
To: Marcel Holtmann <marcel@...tmann.org>,
Luiz Augusto von Dentz <luiz.dentz@...il.com>
Cc: Janaki Ramaiah Thota <quic_janathot@...cinc.com>,
linux-bluetooth@...r.kernel.org,
linux-kernel@...r.kernel.org,
Johan Hovold <johan+linaro@...nel.org>,
stable@...r.kernel.org,
Tim Jiang <quic_tjiang@...cinc.com>
Subject: [PATCH 2/5] Bluetooth: qca: fix info leak when fetching board id
Add the missing sanity check when fetching the board id to avoid leaking
slab data when later requesting the firmware.
Fixes: a7f8dedb4be2 ("Bluetooth: qca: add support for QCA2066")
Cc: stable@...r.kernel.org # 6.7
Cc: Tim Jiang <quic_tjiang@...cinc.com>
Signed-off-by: Johan Hovold <johan+linaro@...nel.org>
---
drivers/bluetooth/btqca.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/bluetooth/btqca.c b/drivers/bluetooth/btqca.c
index a508d79d9aaa..638074992c82 100644
--- a/drivers/bluetooth/btqca.c
+++ b/drivers/bluetooth/btqca.c
@@ -252,6 +252,11 @@ static int qca_read_fw_board_id(struct hci_dev *hdev, u16 *bid)
goto out;
}
+ if (skb->len < 3) {
+ err = -EILSEQ;
+ goto out;
+ }
+
*bid = (edl->data[1] << 8) + edl->data[2];
bt_dev_dbg(hdev, "%s: bid = %x", __func__, *bid);
--
2.43.2
Powered by blists - more mailing lists