Patch "bluetooth: Validate socket address length in sco_sock_bind()." has been added to the 3.14-stable tree

Patch "bluetooth: Validate socket address length in sco_sock_bind()." has been added to the 3.14-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    bluetooth: Validate socket address length in sco_sock_bind().

to the 3.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
and it can be found in the queue-3.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Mon Jan 18 21:17:42 PST 2016
From: "David S. Miller" <davem@davemloft.net>
Date: Tue, 15 Dec 2015 15:39:08 -0500
Subject: bluetooth: Validate socket address length in sco_sock_bind().
Status: RO
Content-Length: 619
Lines: 24

From: "David S. Miller" <davem@davemloft.net>

[ Upstream commit 5233252fce714053f0151680933571a2da9cbfb4 ]

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bluetooth/sco.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/bluetooth/sco.c
+++ b/net/bluetooth/sco.c
@@ -459,6 +459,9 @@ static int sco_sock_bind(struct socket *
 	if (!addr || addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
 
+	if (addr_len < sizeof(struct sockaddr_sco))
+		return -EINVAL;
+
 	lock_sock(sk);
 
 	if (sk->sk_state != BT_OPEN) {


Patches currently in stable-queue which might be from davem@davemloft.net are

queue-3.14/packet-infer-protocol-from-ethernet-header-if-unset.patch
queue-3.14/sctp-use-the-same-clock-as-if-sock-source-timestamps-were-on.patch
queue-3.14/net-qmi_wwan-add-xs-stick-w100-2-from-4g-systems.patch
queue-3.14/ipv6-distinguish-frag-queues-by-device-for-multicast-and-link-local-packets.patch
queue-3.14/unix-avoid-use-after-free-in-ep_remove_wait_queue.patch
queue-3.14/ipv6-sctp-clone-options-to-avoid-use-after-free.patch
queue-3.14/bluetooth-validate-socket-address-length-in-sco_sock_bind.patch
queue-3.14/atl1c-improve-driver-not-to-do-order-4-gfp_atomic-allocation.patch
queue-3.14/af_unix-revert-lock_interruptible-in-stream-receive-code.patch
queue-3.14/ipv6-sctp-implement-sctp_v6_destroy_sock.patch
queue-3.14/snmp-remove-duplicate-outmcast-stat-increment.patch
queue-3.14/sh_eth-fix-kernel-oops-in-skb_put.patch
queue-3.14/sctp-update-the-netstamp_needed-counter-when-copying-sockets.patch
queue-3.14/broadcom-fix-phy_id_bcm5481-entry-in-the-id-table.patch
queue-3.14/skbuff-fix-offset-error-in-skb_reorder_vlan_header.patch
queue-3.14/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_connect.patch
queue-3.14/net-scm-fix-pax-detected-msg_controllen-overflow-in-scm_detach_fds.patch
queue-3.14/tcp-md5-fix-lockdep-annotation.patch
queue-3.14/sctp-translate-host-order-to-network-order-when-setting-a-hmacid.patch
queue-3.14/net-ipmr-fix-static-mfc-dev-leaks-on-table-destruction.patch
queue-3.14/packet-always-probe-for-transport-header.patch
queue-3.14/ip_tunnel-disable-preemption-when-updating-per-cpu-tstats.patch
queue-3.14/net-ip6mr-fix-static-mfc-dev-leaks-on-table-destruction.patch
queue-3.14/net-add-validation-for-the-socket-syscall-protocol-argument.patch
queue-3.14/tcp-initialize-tp-copied_seq-in-case-of-cross-syn-connection.patch
queue-3.14/gre6-allow-to-update-all-parameters-via-rtnl.patch
queue-3.14/packet-do-skb_probe_transport_header-when-we-actually-have-data.patch
queue-3.14/vlan-fix-untag-operations-of-stacked-vlans-with-reorder_header-off.patch
queue-3.14/tools-net-use-include-uapi-with-__exported_headers__.patch