| From c4c896e1471aec3b004a693c689f60be3b17ac86 Mon Sep 17 00:00:00 2001 |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| Date: Mon, 14 Feb 2011 13:54:26 +0300 |
| Subject: Bluetooth: sco: fix information leak to userspace |
| |
| From: Vasiliy Kulikov <segoon@openwall.com> |
| |
| commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream. |
| |
| struct sco_conninfo has one padding byte in the end. Local variable |
| cinfo of type sco_conninfo is copied to userspace with this uninizialized |
| one byte, leading to old stack contents leak. |
| |
| Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> |
| Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/bluetooth/sco.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/net/bluetooth/sco.c |
| +++ b/net/bluetooth/sco.c |
| @@ -701,6 +701,7 @@ static int sco_sock_getsockopt_old(struc |
| break; |
| } |
| |
| + memset(&cinfo, 0, sizeof(cinfo)); |
| cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle; |
| memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3); |
| |