| From 7ac28817536797fd40e9646452183606f9e17f71 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Fri, 24 Jun 2011 08:38:05 -0400 |
| Subject: Bluetooth: Prevent buffer overflow in l2cap config request |
| |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| |
| commit 7ac28817536797fd40e9646452183606f9e17f71 upstream. |
| |
| A remote user can provide a small value for the command size field in |
| the command header of an l2cap configuration request, resulting in an |
| integer underflow when subtracting the size of the configuration request |
| header. This results in copying a very large amount of data via |
| memcpy() and destroying the kernel heap. Check for underflow. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| |
| --- |
| net/bluetooth/l2cap.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/bluetooth/l2cap.c |
| +++ b/net/bluetooth/l2cap.c |
| @@ -2720,7 +2720,7 @@ static inline int l2cap_config_req(struc |
| |
| /* Reject if config buffer is too small. */ |
| len = cmd_len - sizeof(*req); |
| - if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
| + if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { |
| l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, |
| l2cap_build_conf_rsp(sk, rsp, |
| L2CAP_CONF_REJECT, flags), rsp); |