diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-10-16 23:09:17 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-10-16 23:09:17 -0400 |
commit | 96d5c2734bf17d5665efd0c0c777ea826dab4b68 (patch) | |
tree | ee5ccdb9b7950ebdf49c8358597c36e176b0e3ba | |
parent | 01876eb1ea229a1b7ef005a9cd049ec0435e51c6 (diff) | |
download | longterm-queue-2.6.34-96d5c2734bf17d5665efd0c0c777ea826dab4b68.tar.gz |
bluetooth: add CVE-2011-2497 patch.
Trivial mod needed due to different vars used where the "< 0" check
was added to a line.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/Bluetooth-Prevent-buffer-overflow-in-l2cap-config-re.patch | 36 | ||||
-rw-r--r-- | queue/series | 1 |
2 files changed, 37 insertions, 0 deletions
diff --git a/queue/Bluetooth-Prevent-buffer-overflow-in-l2cap-config-re.patch b/queue/Bluetooth-Prevent-buffer-overflow-in-l2cap-config-re.patch new file mode 100644 index 0000000..aec1bc3 --- /dev/null +++ b/queue/Bluetooth-Prevent-buffer-overflow-in-l2cap-config-re.patch @@ -0,0 +1,36 @@ +From ccd38afb920d03ae7b54493beceb09be94f443aa Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 24 Jun 2011 08:38:05 -0400 +Subject: [PATCH] Bluetooth: Prevent buffer overflow in l2cap config request + +commit 7ac28817536797fd40e9646452183606f9e17f71 upstream. + +A remote user can provide a small value for the command size field in +the command header of an l2cap configuration request, resulting in an +integer underflow when subtracting the size of the configuration request +header. This results in copying a very large amount of data via +memcpy() and destroying the kernel heap. Check for underflow. + +[PG: 34 uses l2cap_pi(sk)->... instead of a local chan->... variable] + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c +index 9753b69..b21e319 100644 +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -2746,7 +2746,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr + + /* Reject if config buffer is too small. */ + len = cmd_len - sizeof(*req); +- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { ++ if (len < 0 || l2cap_pi(sk)->conf_len + len > ++ sizeof(l2cap_pi(sk)->conf_req)) { + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, + l2cap_build_conf_rsp(sk, rsp, + L2CAP_CONF_REJECT, flags), rsp); +-- +1.7.7 + diff --git a/queue/series b/queue/series index 82259d7..98f4a72 100644 --- a/queue/series +++ b/queue/series @@ -207,3 +207,4 @@ taskstats-don-t-allow-duplicate-entries-in-listener-.patch # others fs-partitions-efi.c-corrupted-GUID-partition-tables-.patch +Bluetooth-Prevent-buffer-overflow-in-l2cap-config-re.patch |