[ACK] [hardy, lucid, lucid/fsl-imx51, maverick, maverick/ti-omap4, natty, natty/ti-omap4 CVE 1/1] Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

[Stefan Bader]

On 05.08.2011 12:48, Andy Whitcroft wrote:
> From: Filip Palian <s3810 at pjwstk.edu.pl>
> 
> Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
> byte each. This byte in "cinfo" is copied to userspace uninitialized.
> 
> Signed-off-by: Filip Palian <filip.palian at pjwstk.edu.pl>
> Acked-by: Marcel Holtmann <marcel at holtmann.org>
> Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
> 
> (backported from commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f)
> CVE-2011-2492
> BugLink: http://bugs.launchpad.net/bugs/819569
> Signed-off-by: Andy Whitcroft <apw at canonical.com>
> ---
>  net/bluetooth/l2cap.c       |    1 +
>  net/bluetooth/rfcomm/sock.c |    1 +
>  2 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
> index cab446b..0676111 100644
> --- a/net/bluetooth/l2cap.c
> +++ b/net/bluetooth/l2cap.c
> @@ -1116,6 +1116,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
>  			break;
>  		}
>  
> +		memset(&cinfo, 0, sizeof(cinfo));
>  		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
>  		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
>  
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index 9139c11..43d17c4 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -770,6 +770,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
>  
>  		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
>  
> +		memset(&cinfo, 0, sizeof(cinfo));
>  		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
>  		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
>  
Yo