Linux bluetooth development
 help / color / mirror / Atom feed
From: Gustavo Padovan <gustavo@padovan.org>
To: David Herrmann <dh.herrmann@gmail.com>
Cc: linux-bluetooth@vger.kernel.org, Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH v3 02/18] Bluetooth: hidp: verify l2cap sockets
Date: Fri, 5 Apr 2013 23:44:54 -0300	[thread overview]
Message-ID: <20130406024454.GB10666@joana> (raw)
In-Reply-To: <1365166670-3271-3-git-send-email-dh.herrmann@gmail.com>

Hi David,

* David Herrmann <dh.herrmann@gmail.com> [2013-04-05 14:57:34 +0200]:

> We need to verify that the given sockets actually are l2cap sockets. If
> they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
> start the session if the offsets turn out to be valid local BT addresses.
> 
> That is, if someone passes a TCP socket to HIDCONNADD, then we access some
> random offset in the TCP socket (which isn't even guaranteed to be valid).
> 
> Fix this by checking that the socket is an l2cap socket.
> 
> Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
> ---
>  include/net/bluetooth/l2cap.h | 1 +
>  net/bluetooth/hidp/core.c     | 2 ++
>  net/bluetooth/l2cap_sock.c    | 6 ++++++
>  3 files changed, 9 insertions(+)

Patch has been applied to bluetooth-next. Thanks.

	Gustavo

  reply	other threads:[~2013-04-06  2:44 UTC|newest]

Thread overview: 44+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-04-05 12:57 [PATCH v3 00/18] Rework HIDP Session Management David Herrmann
2013-04-05 12:57 ` [PATCH v3 01/18] Bluetooth: hidp: remove redundant error message David Herrmann
2013-04-06  2:41   ` Gustavo Padovan
2013-04-05 12:57 ` [PATCH v3 02/18] Bluetooth: hidp: verify l2cap sockets David Herrmann
2013-04-06  2:44   ` Gustavo Padovan [this message]
2013-04-05 12:57 ` [PATCH v3 03/18] Bluetooth: rename hci_conn_put to hci_conn_drop David Herrmann
2013-04-06  2:48   ` Gustavo Padovan
2013-04-06 18:31     ` David Herrmann
2013-04-05 12:57 ` [PATCH v3 04/18] Bluetooth: remove unneeded hci_conn_hold/put_device() David Herrmann
2013-04-05 12:57 ` [PATCH v3 05/18] Bluetooth: introduce hci_conn ref-counting David Herrmann
2013-04-05 12:57 ` [PATCH v3 06/18] Bluetooth: hidp: remove unused session->state field David Herrmann
2013-04-05 12:57 ` [PATCH v3 07/18] Bluetooth: hidp: test "terminate" before sleeping David Herrmann
2013-04-05 12:57 ` [PATCH v3 08/18] Bluetooth: allow constant arguments for bacmp()/bacpy() David Herrmann
2013-04-05 12:57 ` [PATCH v3 09/18] Bluetooth: hidp: move hidp_schedule() to core.c David Herrmann
2013-04-05 12:57 ` [PATCH v3 10/18] Bluetooth: l2cap: introduce l2cap_conn ref-counting David Herrmann
2013-04-05 12:57 ` [PATCH v3 11/18] Bluetooth: l2cap: add l2cap_user sub-modules David Herrmann
2013-04-05 12:57 ` [PATCH v3 12/18] Bluetooth: hidp: add new session-management helpers David Herrmann
2013-04-05 12:57 ` [PATCH v3 13/18] Bluetooth: hidp: remove old session-management David Herrmann
2013-04-05 12:57 ` [PATCH v3 14/18] Bluetooth: hidp: handle kernel_sendmsg() errors correctly David Herrmann
2013-04-05 12:57 ` [PATCH v3 15/18] Bluetooth: hidp: merge hidp_process_{ctrl,intr}_transmit() David Herrmann
2013-04-05 12:57 ` [PATCH v3 16/18] Bluetooth: hidp: merge 'send' functions into hidp_send_message() David Herrmann
2013-04-05 12:57 ` [PATCH v3 17/18] Bluetooth: hidp: don't send boot-protocol messages as HID-reports David Herrmann
2013-04-05 12:57 ` [PATCH v3 18/18] Bluetooth: hidp: fix sending output reports on intr channel David Herrmann
2013-04-18  2:49   ` Gustavo Padovan
2013-04-05 19:01 ` [PATCH v3 00/18] Rework HIDP Session Management Marcel Holtmann
2013-04-06 18:28 ` [PATCH v4 00/16] " David Herrmann
2013-04-06 18:28   ` [PATCH v4 01/16] Bluetooth: rename hci_conn_put to hci_conn_drop David Herrmann
2013-04-11 19:45     ` Gustavo Padovan
2013-04-06 18:28   ` [PATCH v4 02/16] Bluetooth: remove unneeded hci_conn_hold/put_device() David Herrmann
2013-04-17  5:39     ` Gustavo Padovan
2013-04-06 18:28   ` [PATCH v4 03/16] Bluetooth: introduce hci_conn ref-counting David Herrmann
2013-04-06 18:28   ` [PATCH v4 04/16] Bluetooth: hidp: remove unused session->state field David Herrmann
2013-04-06 18:28   ` [PATCH v4 05/16] Bluetooth: hidp: test "terminate" before sleeping David Herrmann
2013-04-06 18:28   ` [PATCH v4 06/16] Bluetooth: allow constant arguments for bacmp()/bacpy() David Herrmann
2013-04-06 18:28   ` [PATCH v4 07/16] Bluetooth: hidp: move hidp_schedule() to core.c David Herrmann
2013-04-06 18:28   ` [PATCH v4 08/16] Bluetooth: l2cap: introduce l2cap_conn ref-counting David Herrmann
2013-04-06 18:28   ` [PATCH v4 09/16] Bluetooth: l2cap: add l2cap_user sub-modules David Herrmann
2013-04-06 18:28   ` [PATCH v4 10/16] Bluetooth: hidp: add new session-management helpers David Herrmann
2013-04-06 18:28   ` [PATCH v4 11/16] Bluetooth: hidp: remove old session-management David Herrmann
2013-04-06 18:28   ` [PATCH v4 12/16] Bluetooth: hidp: handle kernel_sendmsg() errors correctly David Herrmann
2013-04-06 18:28   ` [PATCH v4 13/16] Bluetooth: hidp: merge hidp_process_{ctrl,intr}_transmit() David Herrmann
2013-04-06 18:28   ` [PATCH v4 14/16] Bluetooth: hidp: merge 'send' functions into hidp_send_message() David Herrmann
2013-04-06 18:28   ` [PATCH v4 15/16] Bluetooth: hidp: don't send boot-protocol messages as HID-reports David Herrmann
2013-04-06 18:28   ` [PATCH v4 16/16] Bluetooth: hidp: fix sending output reports on intr channel David Herrmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130406024454.GB10666@joana \
    --to=gustavo@padovan.org \
    --cc=dh.herrmann@gmail.com \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=marcel@holtmann.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox