Re: [PATCH] Bluetooth: Prevent buffer overflow in l2cap configrequest

From: Gustavo F. Padovan
Date: Tue Jun 28 2011 - 14:02:13 EST

Next message: Aditya Kali: "Re: [RFC PATCH 4/4] cgroups: Add an rlimit subsystem"
Previous message: Daniel Baluta: "Re: [PATCH 1/3] char drivers: ramoops default platform device formodule parameter use"
In reply to: Dan Rosenberg: "[PATCH] Bluetooth: Prevent buffer overflow in l2cap config request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Dan,

* Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> [2011-06-24 08:38:05 -0400]:

> A remote user can provide a small value for the command size field in
> the command header of an l2cap configuration request, resulting in an
> integer underflow when subtracting the size of the configuration request
> header. This results in copying a very large amount of data via
> memcpy() and destroying the kernel heap. Check for underflow.
>
> Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxx>
> ---
> net/bluetooth/l2cap_core.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)

Applied, thanks.

Gustavo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Aditya Kali: "Re: [RFC PATCH 4/4] cgroups: Add an rlimit subsystem"
Previous message: Daniel Baluta: "Re: [PATCH 1/3] char drivers: ramoops default platform device formodule parameter use"
In reply to: Dan Rosenberg: "[PATCH] Bluetooth: Prevent buffer overflow in l2cap config request"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]