[Lucid Precise Quantal CVE-2013-3225] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()

[Luis Henriques]

From: Mathias Krause <minipli at googlemail.com>

CVE-2013-3225

BugLink: https://bugs.launchpad.net/bugs/1172369

If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().

Cc: Marcel Holtmann <marcel at holtmann.org>
Cc: Gustavo Padovan <gustavo at padovan.org>
Cc: Johan Hedberg <johan.hedberg at gmail.com>
Signed-off-by: Mathias Krause <minipli at googlemail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>
(cherry picked from commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691)

Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 net/bluetooth/rfcomm/sock.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index ce3f665..970fc13 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -610,6 +610,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
 
 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
 		rfcomm_dlc_accept(d);
+		msg->msg_namelen = 0;
 		return 0;
 	}
 
-- 
1.8.1.2