From: Greg KH <gregkh@linuxfoundation.org>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCH] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
Date: Fri, 18 Jan 2019 16:00:44 +0100 [thread overview]
Message-ID: <20190118150044.GA31656@kroah.com> (raw)
In-Reply-To: <93BDB9CB-55F3-415A-8EED-DD532C36BC8A@holtmann.org>
On Fri, Jan 18, 2019 at 02:12:23PM +0100, Marcel Holtmann wrote:
> Hi Greg,
>
> >> The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len
> >> as length value. The opt->len however is in control over the remote user
> >> and can be used by an attacker to gain access beyond the bounds of the
> >> actual packet.
> >>
> >> To prevent any potential leak of heap memory, it is enough to check that
> >> the resulting len calculation after calling l2cap_get_conf_opt is not
> >> below zero. A well formed packet will always return >= 0 here and will
> >> end with the length value being zero after the last option has been
> >> parsed. In case of malformed packets messing with the opt->len field the
> >> length value will become negative. If that is the case, then just abort
> >> and ignore the option.
> >>
> >> In case an attacker uses a too short opt->len value, then garbage will
> >> be parsed, but that is protected by the unknown option handling and also
> >> the option parameter size checks.
> >>
> >> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> >> ---
> >> net/bluetooth/l2cap_core.c | 6 ++++++
> >> 1 file changed, 6 insertions(+)
> >>
> >> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> >> index 77799e7d5a34..ccdc5c67d22a 100644
> >> --- a/net/bluetooth/l2cap_core.c
> >> +++ b/net/bluetooth/l2cap_core.c
> >> @@ -3337,6 +3337,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
> >>
> >> while (len >= L2CAP_CONF_OPT_SIZE) {
> >> len -= l2cap_get_conf_opt(&req, &type, &olen, &val);
> >> + if (len < 0)
> >> + break;
> >
> > <snip>
> >
> > Patch looks good to me, thanks for fixing this all up:
>
> it would be still good if we can get this verified by the reporter.
The "reporter" seems to have disappeared once they reported this stuff,
so I would not count on them doing anything here, we asked numerous
times :(
If the patches look correct, I recommend just merging it and I can
backport it to the stable releases and the distros can pick it up from
there.
thanks,
greg k-h
next prev parent reply other threads:[~2019-01-18 15:00 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-18 12:43 [PATCH] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Marcel Holtmann
2019-01-18 12:53 ` Greg KH
2019-01-18 13:12 ` Marcel Holtmann
2019-01-18 15:00 ` Greg KH [this message]
2019-01-21 14:51 ` Marcel Holtmann
2019-01-21 15:09 ` Greg KH
2019-01-23 11:37 ` Johan Hedberg
-- strict thread matches above, loose matches on Subject: below --
2023-12-20 13:16 Celia R L R Normand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190118150044.GA31656@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.