Patch "bluetooth: Validate socket address length in sco_sock_bind()." has been added to the 4.3-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    bluetooth: Validate socket address length in sco_sock_bind().

to the 4.3-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
and it can be found in the queue-4.3 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Wed Dec 30 19:48:47 PST 2015
From: "David S. Miller" <davem@davemloft.net>
Date: Tue, 15 Dec 2015 15:39:08 -0500
Subject: bluetooth: Validate socket address length in sco_sock_bind().

From: "David S. Miller" <davem@davemloft.net>

[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bluetooth/sco.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
+	if (addr_len < sizeof(struct sockaddr_sco))
+		return -EINVAL;
+
 	lock_sock(sk);
 
 	if (sk->sk_state != BT_OPEN) {


Patches currently in stable-queue which might be from davem@davemloft.net are

queue-4.3/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch
queue-4.3/ipv6-automatically-enable-stable-privacy-mode-if-stable_secret-set.patch
queue-4.3/inet-tcp-fix-inetpeer_set_addr_v4.patch
queue-4.3/uapi-export-ila.h.patch
queue-4.3/ipv6-sctp-clone-options-to-avoid-use-after-free.patch
queue-4.3/net-check-both-type-and-procotol-for-tcp-sockets.patch
queue-4.3/pppoe-fix-memory-corruption-in-padt-work-structure.patch
queue-4.3/gre6-allow-to-update-all-parameters-via-rtnl.patch
queue-4.3/af_unix-revert-lock_interruptible-in-stream-receive-code.patch
queue-4.3/net-fix-uninitialized-variable-issue.patch
queue-4.3/fou-clean-up-socket-with-kfree_rcu.patch
queue-4.3/sh_eth-fix-kernel-oops-in-skb_put.patch
queue-4.3/tcp-restore-fastopen-with-no-data-in-syn-packet.patch
queue-4.3/gianfar-don-t-enable-rx-filer-if-not-supported.patch
queue-4.3/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch
queue-4.3/net-cdc_mbim-add-ndp-to-end-quirk-for-huawei-e3372.patch
queue-4.3/openvswitch-respect-conntrack-zone-even-if-invalid.patch
queue-4.3/openvswitch-fix-helper-reference-leak.patch
queue-4.3/net_sched-make-qdisc_tree_decrease_qlen-work-for-non-mq.patch
queue-4.3/revert-vrf-fix-double-free-and-memory-corruption-on-register_netdevice-failure.patch
queue-4.3/r8152-fix-lockup-when-runtime-pm-is-enabled.patch
queue-4.3/net-qca_spi-fix-transmit-queue-timeout-handling.patch
queue-4.3/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch
queue-4.3/ipv6-keep-existing-flags-when-setting-ifa_f_optimistic.patch
queue-4.3/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
queue-4.3/net-add-validation-for-the-socket-syscall-protocol-argument.patch
queue-4.3/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch
queue-4.3/phy-micrel-fix-finding-phy-properties-in-mac-node.patch
queue-4.3/tipc-fix-kfree_skb-of-uninitialised-pointer.patch
queue-4.3/sctp-also-copy-sk_tsflags-when-copying-the-socket.patch
queue-4.3/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch
queue-4.3/vrf-fix-double-free-and-memory-corruption-on-register_netdevice-failure.patch
queue-4.3/net-fix-ip-early-demux-races.patch
queue-4.3/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch
queue-4.3/vxlan-fix-incorrect-rco-bit-in-vxlan-header.patch
queue-4.3/rhashtable-fix-walker-list-corruption.patch
queue-4.3/rhashtable-enforce-minimum-size-on-initial-hash-table.patch