[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1452054993-76111-1-git-send-email-wuninsu@gmail.com>
Date: Tue, 5 Jan 2016 23:36:33 -0500
From: Insu Yun <wuninsu@...il.com>
To: marcel@...tmann.org, gustavo@...ovan.org, johan.hedberg@...il.com,
davem@...emloft.net, peter@...leysoftware.com,
jaganath.k@...sung.com, ying.xue@...driver.com,
ebiederm@...ssion.com, linux-bluetooth@...r.kernel.org,
netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: taesoo@...ech.edu, yeongjin.jang@...ech.edu, insu@...ech.edu,
changwoo@...ech.edu, Insu Yun <wuninsu@...il.com>
Subject: [PATCH] rfcomm: fix information leak in rfcomm_sock_bind
if addr_len < sizeof(sa), sa.rc_bdaddr(4bytes) can be leaked
by using rfcomm_sock_getname()
Signed-off-by: Insu Yun <wuninsu@...il.com>
---
net/bluetooth/rfcomm/sock.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7511df7..d61dfdc 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -336,14 +336,15 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
{
struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int len, err = 0;
+ int err = 0;
if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;
- memset(&sa, 0, sizeof(sa));
- len = min_t(unsigned int, sizeof(sa), addr_len);
- memcpy(&sa, addr, len);
+ if (addr_len != sizeof(sa))
+ return -EINVAL;
+
+ memcpy(&sa, addr, addr_len);
BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);
--
1.9.1
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists