[SRU] [T/X/B/C/D] [PATCH 0/1] CVE-2019-3459 - Heap address infoleak in use of l2cap_get_conf_opt
Kai-Heng Feng
kai.heng.feng at canonical.com
Tue Feb 19 10:48:55 UTC 2019
Heap data infoleak in multiple locations including
functionl2cap_parse_conf_rsp
The fix itself is quite trivial, quote the commit message:
"To prevent any potential leak of heap memory, it is enough to check
that the resulting len calculation after calling l2cap_get_conf_opt is
not below zero. A well formed packet will always return >= 0 here and
will end with the length value being zero after the last option has been
parsed. In case of malformed packets messing with the opt->len field the
length value will become negative. If that is the case, then just abort
and ignore the option."
Marcel Holtmann (1):
Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
net/bluetooth/l2cap_core.c | 6 ++++++
1 file changed, 6 insertions(+)
--
2.17.1
More information about the kernel-team
mailing list