49 lines
1.4 KiB
Diff
49 lines
1.4 KiB
Diff
From: Ben Seri <ben@armis.com>
|
|
Date: Mon, 04 Dec 2017 14:13:25 +0000
|
|
Subject: bluetooth: Prevent stack info leak from the EFS element.
|
|
Origin: http://www.openwall.com/lists/oss-security/2017/12/06/3
|
|
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2017-1000410
|
|
|
|
Signed-off-by: Ben Seri <ben@armis.com>
|
|
---
|
|
--- a/net/bluetooth/l2cap_core.c
|
|
+++ b/net/bluetooth/l2cap_core.c
|
|
@@ -3363,9 +3363,10 @@ static int l2cap_parse_conf_req(struct l
|
|
break;
|
|
|
|
case L2CAP_CONF_EFS:
|
|
- remote_efs = 1;
|
|
- if (olen == sizeof(efs))
|
|
+ if (olen == sizeof(efs)) {
|
|
+ remote_efs = 1;
|
|
memcpy(&efs, (void *) val, olen);
|
|
+ }
|
|
break;
|
|
|
|
case L2CAP_CONF_EWS:
|
|
@@ -3584,16 +3585,17 @@ static int l2cap_parse_conf_rsp(struct l
|
|
break;
|
|
|
|
case L2CAP_CONF_EFS:
|
|
- if (olen == sizeof(efs))
|
|
+ if (olen == sizeof(efs)) {
|
|
memcpy(&efs, (void *)val, olen);
|
|
|
|
- if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
|
|
- efs.stype != L2CAP_SERV_NOTRAFIC &&
|
|
- efs.stype != chan->local_stype)
|
|
- return -ECONNREFUSED;
|
|
+ if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&
|
|
+ efs.stype != L2CAP_SERV_NOTRAFIC &&
|
|
+ efs.stype != chan->local_stype)
|
|
+ return -ECONNREFUSED;
|
|
|
|
- l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
|
|
- (unsigned long) &efs, endptr - ptr);
|
|
+ l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs),
|
|
+ (unsigned long) &efs, endptr - ptr);
|
|
+ }
|
|
break;
|
|
|
|
case L2CAP_CONF_FCS:
|