bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575)

debian/changelog

@@ -4,6 +4,7 @@ linux (4.3.3-3) UNRELEASED; urgency=medium
   * [ppc64*] drm: Enable DRM_AST as module (Closes: #808338)
   * block: ensure to split after potentially bouncing a bio (Closes: #809082)
   * pptp: verify sockaddr_len in pptp_bind() and pptp_connect() (CVE-2015-8569)
+  * bluetooth: Validate socket address length in sco_sock_bind() (CVE-2015-8575)
 
   [ Salvatore Bonaccorso ]
   * ovl: fix permission checking for setattr (CVE-2015-8660)

debian/patches/bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch

@@ -0,0 +1,22 @@
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 15 Dec 2015 15:39:08 -0500
+Subject: bluetooth: Validate socket address length in sco_sock_bind().
+Origin: https://git.kernel.org/linus/5233252fce714053f0151680933571a2da9cbfb4
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+---
+ net/bluetooth/sco.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/bluetooth/sco.c
++++ b/net/bluetooth/sco.c
+@@ -519,6 +519,9 @@ static int sco_sock_bind(struct socket *
+ 	if (!addr || addr->sa_family != AF_BLUETOOTH)
+ 		return -EINVAL;
+ 
++	if (addr_len < sizeof(struct sockaddr_sco))
++		return -EINVAL;
++
+ 	lock_sock(sk);
+ 
+ 	if (sk->sk_state != BT_OPEN) {

debian/patches/series

@@ -108,3 +108,4 @@ debian/armhf-sparc64-force-zone_dma-to-be-enabled.patch
 bugfix/all/ovl-fix-permission-checking-for-setattr.patch
 bugfix/all/block-ensure-to-split-after-potentially-bouncing-a-b.patch
 bugfix/all/pptp-verify-sockaddr_len-in-pptp_bind-and-pptp_conne.patch
+bugfix/all/bluetooth-validate-socket-address-length-in-sco_sock.patch