From: Greg Kroah-Hartman <greg@kroah.com>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Johan Hedberg <johan.hedberg@intel.com>,
Gustavo Padovan <gustavo.padovan@collabora.co.uk>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [ 11/48] Bluetooth: Fix missing length checks for L2CAP signalling PDUs
Date: Tue, 18 Jun 2013 09:17:37 -0700 [thread overview]
Message-ID: <20130618161727.498344365@linuxfoundation.org> (raw)
In-Reply-To: <20130618161725.912524266@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
3.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hedberg <johan.hedberg@intel.com>
commit cb3b3152b2f5939d67005cff841a1ca748b19888 upstream.
There has been code in place to check that the L2CAP length header
matches the amount of data received, but many PDU handlers have not been
checking that the data received actually matches that expected by the
specific PDU. This patch adds passing the length header to the specific
handler functions and ensures that those functions fail cleanly in the
case of an incorrect amount of data.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 70 +++++++++++++++++++++++++++++++++------------
1 file changed, 52 insertions(+), 18 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -3568,10 +3568,14 @@ static void l2cap_conf_rfc_get(struct l2
}
static inline int l2cap_command_rej(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_cmd_rej_unk *rej = (struct l2cap_cmd_rej_unk *) data;
+ if (cmd_len < sizeof(*rej))
+ return -EPROTO;
+
if (rej->reason != L2CAP_REJ_NOT_UNDERSTOOD)
return 0;
@@ -3720,11 +3724,14 @@ sendresp:
}
static int l2cap_connect_req(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
{
struct hci_dev *hdev = conn->hcon->hdev;
struct hci_conn *hcon = conn->hcon;
+ if (cmd_len < sizeof(struct l2cap_conn_req))
+ return -EPROTO;
+
hci_dev_lock(hdev);
if (test_bit(HCI_MGMT, &hdev->dev_flags) &&
!test_and_set_bit(HCI_CONN_MGMT_CONNECTED, &hcon->flags))
@@ -3738,7 +3745,8 @@ static int l2cap_connect_req(struct l2ca
}
static int l2cap_connect_create_rsp(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_conn_rsp *rsp = (struct l2cap_conn_rsp *) data;
u16 scid, dcid, result, status;
@@ -3746,6 +3754,9 @@ static int l2cap_connect_create_rsp(stru
u8 req[128];
int err;
+ if (cmd_len < sizeof(*rsp))
+ return -EPROTO;
+
scid = __le16_to_cpu(rsp->scid);
dcid = __le16_to_cpu(rsp->dcid);
result = __le16_to_cpu(rsp->result);
@@ -3843,6 +3854,9 @@ static inline int l2cap_config_req(struc
struct l2cap_chan *chan;
int len, err = 0;
+ if (cmd_len < sizeof(*req))
+ return -EPROTO;
+
dcid = __le16_to_cpu(req->dcid);
flags = __le16_to_cpu(req->flags);
@@ -3866,7 +3880,7 @@ static inline int l2cap_config_req(struc
/* Reject if config buffer is too small. */
len = cmd_len - sizeof(*req);
- if (len < 0 || chan->conf_len + len > sizeof(chan->conf_req)) {
+ if (chan->conf_len + len > sizeof(chan->conf_req)) {
l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
l2cap_build_conf_rsp(chan, rsp,
L2CAP_CONF_REJECT, flags), rsp);
@@ -3944,14 +3958,18 @@ unlock:
}
static inline int l2cap_config_rsp(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_conf_rsp *rsp = (struct l2cap_conf_rsp *)data;
u16 scid, flags, result;
struct l2cap_chan *chan;
- int len = le16_to_cpu(cmd->len) - sizeof(*rsp);
+ int len = cmd_len - sizeof(*rsp);
int err = 0;
+ if (cmd_len < sizeof(*rsp))
+ return -EPROTO;
+
scid = __le16_to_cpu(rsp->scid);
flags = __le16_to_cpu(rsp->flags);
result = __le16_to_cpu(rsp->result);
@@ -4052,7 +4070,8 @@ done:
}
static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_disconn_req *req = (struct l2cap_disconn_req *) data;
struct l2cap_disconn_rsp rsp;
@@ -4060,6 +4079,9 @@ static inline int l2cap_disconnect_req(s
struct l2cap_chan *chan;
struct sock *sk;
+ if (cmd_len != sizeof(*req))
+ return -EPROTO;
+
scid = __le16_to_cpu(req->scid);
dcid = __le16_to_cpu(req->dcid);
@@ -4099,12 +4121,16 @@ static inline int l2cap_disconnect_req(s
}
static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_disconn_rsp *rsp = (struct l2cap_disconn_rsp *) data;
u16 dcid, scid;
struct l2cap_chan *chan;
+ if (cmd_len != sizeof(*rsp))
+ return -EPROTO;
+
scid = __le16_to_cpu(rsp->scid);
dcid = __le16_to_cpu(rsp->dcid);
@@ -4134,11 +4160,15 @@ static inline int l2cap_disconnect_rsp(s
}
static inline int l2cap_information_req(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_info_req *req = (struct l2cap_info_req *) data;
u16 type;
+ if (cmd_len != sizeof(*req))
+ return -EPROTO;
+
type = __le16_to_cpu(req->type);
BT_DBG("type 0x%4.4x", type);
@@ -4185,11 +4215,15 @@ static inline int l2cap_information_req(
}
static inline int l2cap_information_rsp(struct l2cap_conn *conn,
- struct l2cap_cmd_hdr *cmd, u8 *data)
+ struct l2cap_cmd_hdr *cmd, u16 cmd_len,
+ u8 *data)
{
struct l2cap_info_rsp *rsp = (struct l2cap_info_rsp *) data;
u16 type, result;
+ if (cmd_len != sizeof(*rsp))
+ return -EPROTO;
+
type = __le16_to_cpu(rsp->type);
result = __le16_to_cpu(rsp->result);
@@ -5055,16 +5089,16 @@ static inline int l2cap_bredr_sig_cmd(st
switch (cmd->code) {
case L2CAP_COMMAND_REJ:
- l2cap_command_rej(conn, cmd, data);
+ l2cap_command_rej(conn, cmd, cmd_len, data);
break;
case L2CAP_CONN_REQ:
- err = l2cap_connect_req(conn, cmd, data);
+ err = l2cap_connect_req(conn, cmd, cmd_len, data);
break;
case L2CAP_CONN_RSP:
case L2CAP_CREATE_CHAN_RSP:
- err = l2cap_connect_create_rsp(conn, cmd, data);
+ err = l2cap_connect_create_rsp(conn, cmd, cmd_len, data);
break;
case L2CAP_CONF_REQ:
@@ -5072,15 +5106,15 @@ static inline int l2cap_bredr_sig_cmd(st
break;
case L2CAP_CONF_RSP:
- err = l2cap_config_rsp(conn, cmd, data);
+ err = l2cap_config_rsp(conn, cmd, cmd_len, data);
break;
case L2CAP_DISCONN_REQ:
- err = l2cap_disconnect_req(conn, cmd, data);
+ err = l2cap_disconnect_req(conn, cmd, cmd_len, data);
break;
case L2CAP_DISCONN_RSP:
- err = l2cap_disconnect_rsp(conn, cmd, data);
+ err = l2cap_disconnect_rsp(conn, cmd, cmd_len, data);
break;
case L2CAP_ECHO_REQ:
@@ -5091,11 +5125,11 @@ static inline int l2cap_bredr_sig_cmd(st
break;
case L2CAP_INFO_REQ:
- err = l2cap_information_req(conn, cmd, data);
+ err = l2cap_information_req(conn, cmd, cmd_len, data);
break;
case L2CAP_INFO_RSP:
- err = l2cap_information_rsp(conn, cmd, data);
+ err = l2cap_information_rsp(conn, cmd, cmd_len, data);
break;
case L2CAP_CREATE_CHAN_REQ:
next prev parent reply other threads:[~2013-06-18 16:17 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-18 16:17 [ 00/48] 3.9.7-stable review Greg Kroah-Hartman
2013-06-18 16:17 ` [ 01/48] audit: wait_for_auditd() should use TASK_UNINTERRUPTIBLE Greg Kroah-Hartman
2013-06-18 16:17 ` [ 02/48] b43: stop format string leaking into error msgs Greg Kroah-Hartman
2013-06-18 16:17 ` [ 03/48] ACPI / video: Do not bind to device objects with a scan handler Greg Kroah-Hartman
2013-06-18 16:17 ` [ 04/48] libceph: must hold mutex for reset_changed_osds() Greg Kroah-Hartman
2013-06-18 16:17 ` [ 05/48] ceph: add cpu_to_le32() calls when encoding a reconnect capability Greg Kroah-Hartman
2013-06-18 16:17 ` [ 06/48] ceph: ceph_pagelist_append might sleep while atomic Greg Kroah-Hartman
2013-06-18 16:17 ` [ 07/48] rbd: dont destroy ceph_opts in rbd_add() Greg Kroah-Hartman
2013-06-18 16:17 ` [ 08/48] drivers/rtc/rtc-twl.c: fix missing device_init_wakeup() when booted with device tree Greg Kroah-Hartman
2013-06-18 16:17 ` [ 09/48] drm/gma500/psb: Unpin framebuffer on crtc disable Greg Kroah-Hartman
2013-06-18 16:17 ` [ 10/48] drm/gma500/cdv: " Greg Kroah-Hartman
2013-06-18 16:17 ` Greg Kroah-Hartman [this message]
2013-06-18 16:17 ` [ 12/48] Bluetooth: Fix mgmt handling of power on failures Greg Kroah-Hartman
2013-06-18 16:17 ` [ 13/48] s390/pci: Implement IRQ functions if !PCI Greg Kroah-Hartman
2013-06-18 17:35 ` Ben Hutchings
2013-06-18 17:42 ` Greg Kroah-Hartman
2013-06-18 21:35 ` Ben Hutchings
2013-06-19 7:09 ` Martin Schwidefsky
2013-06-20 19:21 ` Greg Kroah-Hartman
2013-06-18 16:17 ` [ 14/48] ath9k: Disable PowerSave by default Greg Kroah-Hartman
2013-06-18 16:17 ` [ 15/48] Revert "ath9k_hw: Update rx gain initval to improve rx sensitivity" Greg Kroah-Hartman
2013-06-18 16:17 ` [ 16/48] ath9k: Use minstrel rate control by default Greg Kroah-Hartman
2013-06-18 16:17 ` [ 17/48] CPU hotplug: provide a generic helper to disable/enable CPU hotplug Greg Kroah-Hartman
2013-06-18 16:17 ` [ 18/48] reboot: rigrate shutdown/reboot to boot cpu Greg Kroah-Hartman
2013-06-18 16:17 ` [ 19/48] kmsg: honor dmesg_restrict sysctl on /dev/kmsg Greg Kroah-Hartman
2013-06-18 16:17 ` [ 20/48] cciss: fix broken mutex usage in ioctl Greg Kroah-Hartman
2013-06-18 16:17 ` [ 21/48] memcg: dont initialize kmem-cache destroying work for root caches Greg Kroah-Hartman
2013-06-18 16:17 ` [ 22/48] wl12xx: fix minimum required firmware version for wl127x multirole Greg Kroah-Hartman
2013-06-18 16:17 ` [ 23/48] drm/i915: prefer VBT modes for SVDO-LVDS over EDID Greg Kroah-Hartman
2013-06-18 16:17 ` [ 24/48] swap: avoid read_swap_cache_async() race to deadlock while waiting on discard I/O completion Greg Kroah-Hartman
2013-06-18 16:17 ` [ 25/48] md/raid1: consider WRITE as successful only if at least one non-Faulty and non-rebuilding drive completed it Greg Kroah-Hartman
2013-06-18 16:17 ` [ 26/48] md/raid1,5,10: Disable WRITE SAME until a recovery strategy is in place Greg Kroah-Hartman
2013-06-18 16:17 ` [ 27/48] md/raid1,raid10: use freeze_array in place of raise_barrier in various places Greg Kroah-Hartman
2013-06-18 16:17 ` [ 28/48] mm/page_alloc.c: fix watermark check in __zone_watermark_ok() Greg Kroah-Hartman
2013-06-18 16:17 ` [ 29/48] mm: migration: add migrate_entry_wait_huge() Greg Kroah-Hartman
2013-06-20 9:52 ` Satoru Takeuchi
2013-06-20 17:02 ` Greg Kroah-Hartman
2013-06-21 11:42 ` Satoru Takeuchi
2013-06-21 12:47 ` Michal Hocko
2013-06-21 22:56 ` Satoru Takeuchi
2013-06-22 12:28 ` Satoru Takeuchi
2013-06-27 18:48 ` Naoya Horiguchi
2013-06-18 16:17 ` [ 30/48] x86: Fix adjust_range_size_mask calling position Greg Kroah-Hartman
2013-06-18 16:17 ` [ 31/48] x86: Fix typo in kexec register clearing Greg Kroah-Hartman
2013-06-18 16:17 ` [ 32/48] drm/nv50/disp: force dac power state during load detect Greg Kroah-Hartman
2013-06-18 16:17 ` [ 33/48] drm/nv50/kms: use dac loadval from vbios, where its available Greg Kroah-Hartman
2013-06-18 16:18 ` [ 34/48] libceph: clear messenger auth_retry flag when we authenticate Greg Kroah-Hartman
2013-06-18 16:18 ` [ 35/48] libceph: fix authorizer invalidation Greg Kroah-Hartman
2013-06-18 16:18 ` [ 36/48] libceph: add update_authorizer auth method Greg Kroah-Hartman
2013-06-18 16:18 ` [ 37/48] libceph: wrap auth ops in wrapper functions Greg Kroah-Hartman
2013-06-18 16:18 ` [ 38/48] libceph: wrap auth methods in a mutex Greg Kroah-Hartman
2013-06-18 16:18 ` [ 39/48] Modify UEFI anti-bricking code Greg Kroah-Hartman
2013-06-18 16:18 ` [ 40/48] powerpc: Fix stack overflow crash in resume_kernel when ftracing Greg Kroah-Hartman
2013-06-18 16:18 ` [ 41/48] powerpc: Fix emulation of illegal instructions on PowerNV platform Greg Kroah-Hartman
2013-06-18 16:18 ` [ 42/48] powerpc: Fix missing/delayed calls to irq_work Greg Kroah-Hartman
2013-06-18 16:18 ` [ 43/48] usb: chipidea: fix id change handling Greg Kroah-Hartman
2013-06-18 16:18 ` [ 44/48] USB: pl2303: fix device initialisation at open Greg Kroah-Hartman
2013-06-18 16:18 ` [ 45/48] USB: f81232: " Greg Kroah-Hartman
2013-06-18 16:18 ` [ 46/48] USB: spcp8x5: " Greg Kroah-Hartman
2013-06-18 16:18 ` [ 47/48] tg3: Wait for boot code to finish after power on Greg Kroah-Hartman
2013-06-18 16:18 ` [ 48/48] ARM: Kirkwood: handle mv88f6282 cpu in __kirkwood_variant() Greg Kroah-Hartman
2013-06-18 21:55 ` [ 00/48] 3.9.7-stable review Shuah Khan
2013-06-18 22:11 ` Greg Kroah-Hartman
2013-06-18 22:58 ` Guenter Roeck
2013-06-18 23:26 ` Greg Kroah-Hartman
2013-06-20 10:02 ` Satoru Takeuchi
2013-06-20 17:01 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130618161727.498344365@linuxfoundation.org \
--to=greg@kroah.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo.padovan@collabora.co.uk \
--cc=johan.hedberg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).