| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <tencent_FE3C6F369E968237444B7E74BD7625670A09@qq.com>
Date: Tue, 9 Apr 2024 21:36:41 +0800
From: Edward Adam Davis <eadavis@...com>
To: eric.dumazet@...il.com
Cc: eadavis@...com,
edumazet@...gle.com,
johan.hedberg@...il.com,
linux-bluetooth@...r.kernel.org,
linux-kernel@...r.kernel.org,
luiz.dentz@...il.com,
marcel@...tmann.org,
netdev@...r.kernel.org,
pmenzel@...gen.mpg.de,
syzbot+d4ecae01a53fd9b42e7d@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: [PATCH] Bluetooth: fix oob in rfcomm_sock_setsockopt
If optlen < sizeof(u32) it will trigger oob, so take the min of them.
Reported-by: syzbot+d4ecae01a53fd9b42e7d@...kaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@...com>
---
net/bluetooth/rfcomm/sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index b54e8a530f55..42c55c756b51 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname,
switch (optname) {
case RFCOMM_LM:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
+ if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) {
err = -EFAULT;
break;
}
--
2.43.0
Powered by blists - more mailing lists