[hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
Andy Whitcroft
apw at canonical.com
Fri Aug 5 10:48:56 UTC 2011
From: Filip Palian <s3810 at pjwstk.edu.pl>
Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.
Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
Acked-by: Marcel Holtmann <marcel at holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
(backported from commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f)
CVE-2011-2492
BugLink: http://bugs.launchpad.net/bugs/819569
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
net/bluetooth/l2cap.c | 1 +
net/bluetooth/rfcomm/sock.c | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index cab446b..0676111 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1116,6 +1116,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
break;
}
+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 9139c11..43d17c4 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -770,6 +770,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
+ memset(&cinfo, 0, sizeof(cinfo));
cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
--
1.7.4.1
More information about the kernel-team
mailing list