From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Jaganath Kanakkassery <jaganath.k@samsung.com>,
Chan-Yeol Park <chanyeol.park@samsung.com>,
Johan Hedberg <johan.hedberg@intel.com>,
Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Subject: [ 05/26] Bluetooth: Fix invalid length check in l2cap_information_rsp()
Date: Mon, 1 Jul 2013 13:10:00 -0700 [thread overview]
Message-ID: <20130701200730.503765752@linuxfoundation.org> (raw)
In-Reply-To: <20130701200729.872850414@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaganath Kanakkassery <jaganath.k@samsung.com>
commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream.
The length check is invalid since the length varies with type of
info response.
This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
Because of this, l2cap info rsp is not handled and command reject is sent.
> ACL data: handle 11 flags 0x02 dlen 16
L2CAP(s): Info rsp: type 2 result 0
Extended feature mask 0x00b8
Enhanced Retransmission mode
Streaming mode
FCS Option
Fixed Channels
< ACL data: handle 11 flags 0x00 dlen 10
L2CAP(s): Command rej: reason 0
Command not understood
Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Chan-Yeol Park <chanyeol.park@samsung.com>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4224,7 +4224,7 @@ static inline int l2cap_information_rsp(
struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
u16 type, result;
- if (cmd_len != sizeof(*rsp))
+ if (cmd_len < sizeof(*rsp))
return -EPROTO;
type = __le16_to_cpu(rsp->type);
next prev parent reply other threads:[~2013-07-01 20:23 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-01 20:09 [ 00/26] 3.9.9-stable review Greg Kroah-Hartman
2013-07-01 20:09 ` [ 01/26] s390/ipl: Fix FCP WWPN and LUN format strings for read Greg Kroah-Hartman
2013-07-01 20:09 ` [ 02/26] ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page Greg Kroah-Hartman
2013-07-01 20:09 ` [ 03/26] ARM: 7772/1: Fix missing flush_kernel_dcache_page() for noMMU Greg Kroah-Hartman
2013-07-01 20:09 ` [ 04/26] Bluetooth: Fix crash in l2cap_build_cmd() with small MTU Greg Kroah-Hartman
2013-07-01 20:10 ` Greg Kroah-Hartman [this message]
2013-07-01 20:10 ` [ 06/26] hw_breakpoint: Fix cpu check in task_bp_pinned(cpu) Greg Kroah-Hartman
2013-07-01 20:10 ` [ 07/26] hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 08/26] ath9k_htc: Handle IDLE state transition properly Greg Kroah-Hartman
2013-07-01 20:10 ` [ 09/26] iwlwifi: dvm: fix chain noise calibration Greg Kroah-Hartman
2013-07-01 20:10 ` [ 10/26] s390/pci: Implement IRQ functions if !PCI Greg Kroah-Hartman
2013-07-01 20:10 ` [ 11/26] s390/irq: Only define synchronize_irq() on SMP Greg Kroah-Hartman
2013-07-01 20:10 ` [ 12/26] dlci: acquire rtnl_lock before calling __dev_get_by_name() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 13/26] dlci: validate the net device in dlci_del() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 14/26] net/tg3: Avoid delay during MMIO access Greg Kroah-Hartman
2013-07-01 20:10 ` [ 15/26] rt2800: fix RT5390 & RT3290 TX power settings regression Greg Kroah-Hartman
2013-07-01 20:10 ` [ 16/26] iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets Greg Kroah-Hartman
2013-07-01 20:10 ` [ 17/26] perf: Disable monitoring on setuid processes for regular users Greg Kroah-Hartman
2013-07-01 20:10 ` [ 18/26] crypto: algboss - Hold ref count on larval Greg Kroah-Hartman
2013-07-01 20:10 ` [ 19/26] powerpc/eeh: Fix fetching bus for single-dev-PE Greg Kroah-Hartman
2013-07-01 20:10 ` [ 20/26] UBIFS: prepare to fix a horrid bug Greg Kroah-Hartman
2013-07-01 20:10 ` [ 21/26] UBIFS: " Greg Kroah-Hartman
2013-07-01 20:10 ` [ 22/26] libata-acpi: add back ACPI based hotplug functionality Greg Kroah-Hartman
2013-07-01 20:10 ` [ 23/26] of/base: release the node correctly in of_parse_phandle_with_args() Greg Kroah-Hartman
2013-07-01 20:10 ` [ 24/26] can: usb_8dev: unregister netdev before free()ing Greg Kroah-Hartman
2013-07-01 20:10 ` [ 25/26] mac80211: work around broken APs not including HT info Greg Kroah-Hartman
2013-07-01 20:10 ` [ 26/26] netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling Greg Kroah-Hartman
2013-07-02 18:31 ` [ 00/26] 3.9.9-stable review Guenter Roeck
2013-07-02 18:57 ` Greg Kroah-Hartman
2013-07-02 18:47 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130701200730.503765752@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=chanyeol.park@samsung.com \
--cc=gustavo.padovan@collabora.co.uk \
--cc=jaganath.k@samsung.com \
--cc=johan.hedberg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).