[Acked] [Lucid Precise Quantal CVE-2013-3225] Bluetooth: RFCOMM - Fix missing msg_namelen update in rfcomm_sock_recvmsg()

[Andy Whitcroft]

On Thu, May 09, 2013 at 11:02:07AM +0100, Luis Henriques wrote:
> From: Mathias Krause <minipli at googlemail.com>
> 
> CVE-2013-3225
> 
> BugLink: https://bugs.launchpad.net/bugs/1172369
> 
> If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
> early with 0 without updating the possibly set msg_namelen member. This,
> in turn, leads to a 128 byte kernel stack leak in net/socket.c.
> 
> Fix this by updating msg_namelen in this case. For all other cases it
> will be handled in bt_sock_stream_recvmsg().
> 
> Cc: Marcel Holtmann <marcel at holtmann.org>
> Cc: Gustavo Padovan <gustavo at padovan.org>
> Cc: Johan Hedberg <johan.hedberg at gmail.com>
> Signed-off-by: Mathias Krause <minipli at googlemail.com>
> Signed-off-by: David S. Miller <davem at davemloft.net>
> (cherry picked from commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691)
> 
> Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
> ---
>  net/bluetooth/rfcomm/sock.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
> index ce3f665..970fc13 100644
> --- a/net/bluetooth/rfcomm/sock.c
> +++ b/net/bluetooth/rfcomm/sock.c
> @@ -610,6 +610,7 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
>  
>  	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
>  		rfcomm_dlc_accept(d);
> +		msg->msg_namelen = 0;
>  		return 0;
>  	}

Looks to be a clean cherry-pick.  Looks to do what is claimed.

Acked-by: Andy Whitcroft <apw at canonical.com>

-apw