From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ben Seri <ben@armis.com>,
Marcel Holtmann <marcel@holtmann.org>,
Linus Torvalds <torvalds@linux-foundation.org>
Subject: [PATCH 4.4 29/31] Bluetooth: Properly check L2CAP config option output buffer length
Date: Tue, 12 Sep 2017 09:56:24 -0700 [thread overview]
Message-ID: <20170912165248.841769539@linuxfoundation.org> (raw)
In-Reply-To: <20170912165247.436880944@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Seri <ben@armis.com>
commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/l2cap_core.c | 80 ++++++++++++++++++++++++---------------------
1 file changed, 43 insertions(+), 37 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -57,7 +57,7 @@ static struct sk_buff *l2cap_build_cmd(s
u8 code, u8 ident, u16 dlen, void *data);
static void l2cap_send_cmd(struct l2cap_conn *conn, u8 ident, u8 code, u16 len,
void *data);
-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data);
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size);
static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err);
static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control,
@@ -1462,7 +1462,7 @@ static void l2cap_conn_start(struct l2ca
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -2966,12 +2966,15 @@ static inline int l2cap_get_conf_opt(voi
return len;
}
-static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val)
+static void l2cap_add_conf_opt(void **ptr, u8 type, u8 len, unsigned long val, size_t size)
{
struct l2cap_conf_opt *opt = *ptr;
BT_DBG("type 0x%2.2x len %u val 0x%lx", type, len, val);
+ if (size < L2CAP_CONF_OPT_SIZE + len)
+ return;
+
opt->type = type;
opt->len = len;
@@ -2996,7 +2999,7 @@ static void l2cap_add_conf_opt(void **pt
*ptr += L2CAP_CONF_OPT_SIZE + len;
}
-static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan)
+static void l2cap_add_opt_efs(void **ptr, struct l2cap_chan *chan, size_t size)
{
struct l2cap_conf_efs efs;
@@ -3024,7 +3027,7 @@ static void l2cap_add_opt_efs(void **ptr
}
l2cap_add_conf_opt(ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, size);
}
static void l2cap_ack_timeout(struct work_struct *work)
@@ -3170,11 +3173,12 @@ static inline void l2cap_txwin_setup(str
chan->ack_win = chan->tx_win;
}
-static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data)
+static int l2cap_build_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
{
struct l2cap_conf_req *req = data;
struct l2cap_conf_rfc rfc = { .mode = chan->mode };
void *ptr = req->data;
+ void *endptr = data + data_size;
u16 size;
BT_DBG("chan %p", chan);
@@ -3199,7 +3203,7 @@ static int l2cap_build_conf_req(struct l
done:
if (chan->imtu != L2CAP_DEFAULT_MTU)
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
switch (chan->mode) {
case L2CAP_MODE_BASIC:
@@ -3218,7 +3222,7 @@ done:
rfc.max_pdu_size = 0;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
break;
case L2CAP_MODE_ERTM:
@@ -3238,21 +3242,21 @@ done:
L2CAP_DEFAULT_TX_WINDOW);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
- l2cap_add_opt_efs(&ptr, chan);
+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
if (test_bit(FLAG_EXT_CTRL, &chan->flags))
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
- chan->tx_win);
+ chan->tx_win, endptr - ptr);
if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
if (chan->fcs == L2CAP_FCS_NONE ||
test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
chan->fcs = L2CAP_FCS_NONE;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
- chan->fcs);
+ chan->fcs, endptr - ptr);
}
break;
@@ -3270,17 +3274,17 @@ done:
rfc.max_pdu_size = cpu_to_le16(size);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags))
- l2cap_add_opt_efs(&ptr, chan);
+ l2cap_add_opt_efs(&ptr, chan, endptr - ptr);
if (chan->conn->feat_mask & L2CAP_FEAT_FCS)
if (chan->fcs == L2CAP_FCS_NONE ||
test_bit(CONF_RECV_NO_FCS, &chan->conf_state)) {
chan->fcs = L2CAP_FCS_NONE;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FCS, 1,
- chan->fcs);
+ chan->fcs, endptr - ptr);
}
break;
}
@@ -3291,10 +3295,11 @@ done:
return ptr - data;
}
-static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data)
+static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data_size)
{
struct l2cap_conf_rsp *rsp = data;
void *ptr = rsp->data;
+ void *endptr = data + data_size;
void *req = chan->conf_req;
int len = chan->conf_len;
int type, hint, olen;
@@ -3396,7 +3401,7 @@ done:
return -ECONNREFUSED;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
}
if (result == L2CAP_CONF_SUCCESS) {
@@ -3409,7 +3414,7 @@ done:
chan->omtu = mtu;
set_bit(CONF_MTU_DONE, &chan->conf_state);
}
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->omtu, endptr - ptr);
if (remote_efs) {
if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
@@ -3423,7 +3428,7 @@ done:
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
} else {
/* Send PENDING Conf Rsp */
result = L2CAP_CONF_PENDING;
@@ -3456,7 +3461,7 @@ done:
set_bit(CONF_MODE_DONE, &chan->conf_state);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
- sizeof(rfc), (unsigned long) &rfc);
+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
chan->remote_id = efs.id;
@@ -3470,7 +3475,7 @@ done:
le32_to_cpu(efs.sdu_itime);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS,
sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
}
break;
@@ -3484,7 +3489,7 @@ done:
set_bit(CONF_MODE_DONE, &chan->conf_state);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, sizeof(rfc),
- (unsigned long) &rfc);
+ (unsigned long) &rfc, endptr - ptr);
break;
@@ -3506,10 +3511,11 @@ done:
}
static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
- void *data, u16 *result)
+ void *data, size_t size, u16 *result)
{
struct l2cap_conf_req *req = data;
void *ptr = req->data;
+ void *endptr = data + size;
int type, olen;
unsigned long val;
struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };
@@ -3527,13 +3533,13 @@ static int l2cap_parse_conf_rsp(struct l
chan->imtu = L2CAP_DEFAULT_MIN_MTU;
} else
chan->imtu = val;
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu);
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_MTU, 2, chan->imtu, endptr - ptr);
break;
case L2CAP_CONF_FLUSH_TO:
chan->flush_to = val;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_FLUSH_TO,
- 2, chan->flush_to);
+ 2, chan->flush_to, endptr - ptr);
break;
case L2CAP_CONF_RFC:
@@ -3547,13 +3553,13 @@ static int l2cap_parse_conf_rsp(struct l
chan->fcs = 0;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
- sizeof(rfc), (unsigned long) &rfc);
+ sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
break;
case L2CAP_CONF_EWS:
chan->ack_win = min_t(u16, val, chan->ack_win);
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EWS, 2,
- chan->tx_win);
+ chan->tx_win, endptr - ptr);
break;
case L2CAP_CONF_EFS:
@@ -3566,7 +3572,7 @@ static int l2cap_parse_conf_rsp(struct l
return -ECONNREFUSED;
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
- (unsigned long) &efs);
+ (unsigned long) &efs, endptr - ptr);
break;
case L2CAP_CONF_FCS:
@@ -3671,7 +3677,7 @@ void __l2cap_connect_rsp_defer(struct l2
return;
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -3879,7 +3885,7 @@ sendresp:
u8 buf[128];
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -3957,7 +3963,7 @@ static int l2cap_connect_create_rsp(stru
break;
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, req), req);
+ l2cap_build_conf_req(chan, req, sizeof(req)), req);
chan->num_conf_req++;
break;
@@ -4069,7 +4075,7 @@ static inline int l2cap_config_req(struc
}
/* Complete config. */
- len = l2cap_parse_conf_req(chan, rsp);
+ len = l2cap_parse_conf_req(chan, rsp, sizeof(rsp));
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto unlock;
@@ -4103,7 +4109,7 @@ static inline int l2cap_config_req(struc
if (!test_and_set_bit(CONF_REQ_SENT, &chan->conf_state)) {
u8 buf[64];
l2cap_send_cmd(conn, l2cap_get_ident(conn), L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
@@ -4163,7 +4169,7 @@ static inline int l2cap_config_rsp(struc
char buf[64];
len = l2cap_parse_conf_rsp(chan, rsp->data, len,
- buf, &result);
+ buf, sizeof(buf), &result);
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto done;
@@ -4193,7 +4199,7 @@ static inline int l2cap_config_rsp(struc
/* throw out any old stored conf requests */
result = L2CAP_CONF_SUCCESS;
len = l2cap_parse_conf_rsp(chan, rsp->data, len,
- req, &result);
+ req, sizeof(req), &result);
if (len < 0) {
l2cap_send_disconn_req(chan, ECONNRESET);
goto done;
@@ -4770,7 +4776,7 @@ static void l2cap_do_create(struct l2cap
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(chan->conn, l2cap_get_ident(chan->conn),
L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf), buf);
+ l2cap_build_conf_req(chan, buf, sizeof(buf)), buf);
chan->num_conf_req++;
}
}
@@ -7442,7 +7448,7 @@ static void l2cap_security_cfm(struct hc
set_bit(CONF_REQ_SENT, &chan->conf_state);
l2cap_send_cmd(conn, l2cap_get_ident(conn),
L2CAP_CONF_REQ,
- l2cap_build_conf_req(chan, buf),
+ l2cap_build_conf_req(chan, buf, sizeof(buf)),
buf);
chan->num_conf_req++;
}
next prev parent reply other threads:[~2017-09-12 16:57 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-12 16:55 [PATCH 4.4 00/31] 4.4.88-stable review Greg Kroah-Hartman
2017-09-12 16:55 ` [PATCH 4.4 01/31] usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard Greg Kroah-Hartman
2017-09-12 16:55 ` [PATCH 4.4 02/31] USB: serial: option: add support for D-Link DWM-157 C1 Greg Kroah-Hartman
2017-09-12 16:55 ` [PATCH 4.4 03/31] usb: Add device quirk for Logitech HD Pro Webcam C920-C Greg Kroah-Hartman
2017-09-12 16:55 ` [PATCH 4.4 04/31] usb:xhci:Fix regression when ATI chipsets detected Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 05/31] USB: core: Avoid race of async_completed() w/ usbdev_release() Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 06/31] staging/rts5208: fix incorrect shift to extract upper nybble Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 07/31] driver core: bus: Fix a potential double free Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 08/31] intel_th: pci: Add Cannon Lake PCH-H support Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 09/31] intel_th: pci: Add Cannon Lake PCH-LP support Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 10/31] ath10k: fix memory leak in rx ring buffer allocation Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 11/31] Input: trackpoint - assume 3 buttons when buttons detection fails Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 12/31] rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 13/31] Bluetooth: Add support of 13d3:3494 RTL8723BE device Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 15/31] mwifiex: correct channel stat buffer overflows Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 16/31] drm/nouveau/pci/msi: disable MSI on big-endian platforms by default Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 17/31] workqueue: Fix flag collision Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 18/31] cs5536: add support for IDE controller variant Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 19/31] scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 20/31] scsi: sg: recheck MMAP_IO request length with lock held Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 21/31] drm: adv7511: really enable interrupts for EDID detection Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 22/31] drm/bridge: adv7511: Fix mutex deadlock when interrupts are disabled Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 23/31] drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context Greg Kroah-Hartman
2017-10-13 13:53 ` Ben Hutchings
2017-09-12 16:56 ` [PATCH 4.4 24/31] drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event() Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 25/31] drm/bridge: adv7511: Re-write the i2c address before EDID probing Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 26/31] btrfs: resume qgroup rescan on rw remount Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 28/31] ALSA: msnd: Optimize / harden DSP and MIDI loops Greg Kroah-Hartman
2017-09-12 16:56 ` Greg Kroah-Hartman [this message]
2017-09-12 16:56 ` [PATCH 4.4 30/31] ARM: 8692/1: mm: abort uaccess retries upon fatal signal Greg Kroah-Hartman
2017-09-12 16:56 ` [PATCH 4.4 31/31] NFS: Fix 2 use after free issues in the I/O code Greg Kroah-Hartman
2017-09-13 0:11 ` [PATCH 4.4 00/31] 4.4.88-stable review Shuah Khan
[not found] ` <59b8666e.cd5e1c0a.73fbf.2682@mx.google.com>
2017-09-13 1:03 ` Greg Kroah-Hartman
2017-09-13 21:57 ` Kevin Hilman
2017-09-19 5:50 ` Stephen Boyd
2017-09-19 11:14 ` Mark Brown
2017-09-13 14:32 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170912165248.841769539@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@armis.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).