Message ID | 1312541336-28283-2-git-send-email-apw@canonical.com |
---|---|
State | New |
Headers | show |
On 05.08.2011 12:48, Andy Whitcroft wrote: > From: Filip Palian <s3810@pjwstk.edu.pl> > > Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding > byte each. This byte in "cinfo" is copied to userspace uninitialized. > > Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> > Acked-by: Marcel Holtmann <marcel@holtmann.org> > Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> > > (backported from commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f) > CVE-2011-2492 > BugLink: http://bugs.launchpad.net/bugs/819569 > Signed-off-by: Andy Whitcroft <apw@canonical.com> > --- > net/bluetooth/l2cap.c | 1 + > net/bluetooth/rfcomm/sock.c | 1 + > 2 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c > index cab446b..0676111 100644 > --- a/net/bluetooth/l2cap.c > +++ b/net/bluetooth/l2cap.c > @@ -1116,6 +1116,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch > break; > } > > + memset(&cinfo, 0, sizeof(cinfo)); > cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; > memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); > > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c > index 9139c11..43d17c4 100644 > --- a/net/bluetooth/rfcomm/sock.c > +++ b/net/bluetooth/rfcomm/sock.c > @@ -770,6 +770,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c > > l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; > > + memset(&cinfo, 0, sizeof(cinfo)); > cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; > memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); > Yo
On Fri, 2011-08-05 at 11:48 +0100, Andy Whitcroft wrote: > From: Filip Palian <s3810@pjwstk.edu.pl> > > Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding > byte each. This byte in "cinfo" is copied to userspace uninitialized. > > Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> > Acked-by: Marcel Holtmann <marcel@holtmann.org> > Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> > > (backported from commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f) > CVE-2011-2492 > BugLink: http://bugs.launchpad.net/bugs/819569 > Signed-off-by: Andy Whitcroft <apw@canonical.com> Acked-by: Leann Ogasawara <leann.ogasawara@canonical.com> > --- > net/bluetooth/l2cap.c | 1 + > net/bluetooth/rfcomm/sock.c | 1 + > 2 files changed, 2 insertions(+), 0 deletions(-) > > diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c > index cab446b..0676111 100644 > --- a/net/bluetooth/l2cap.c > +++ b/net/bluetooth/l2cap.c > @@ -1116,6 +1116,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch > break; > } > > + memset(&cinfo, 0, sizeof(cinfo)); > cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; > memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); > > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c > index 9139c11..43d17c4 100644 > --- a/net/bluetooth/rfcomm/sock.c > +++ b/net/bluetooth/rfcomm/sock.c > @@ -770,6 +770,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c > > l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; > > + memset(&cinfo, 0, sizeof(cinfo)); > cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; > memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); > > -- > 1.7.4.1 > >
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index cab446b..0676111 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -1116,6 +1116,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch break; } + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 9139c11..43d17c4 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -770,6 +770,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);