diff options
| author |   Marcel Holtmann <marcel@holtmann.org> | 2007-05-05 00:35:59 +0200 |
|---|---|---|
| committer | Marcel Holtmann <marcel@holtmann.org> | 2007-05-05 00:35:59 +0200 |
| commit | 0878b6667f28772aa7d6b735abff53efc7bf6d91 (patch) | |
| tree | 5a1dbfb35f679335fbec4cbd17dfe64926db7750 /net/bluetooth/hci_sock.c | |
| parent | libata: honour host controllers that want just one host (diff) | |
| download | linux-dev-0878b6667f28772aa7d6b735abff53efc7bf6d91.tar.xz linux-dev-0878b6667f28772aa7d6b735abff53efc7bf6d91.zip | |
[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
The L2CAP and HCI setsockopt() implementations have a small information
leak that makes it possible to leak kernel stack memory to userspace.
If the optlen parameter is 0, no data will be copied by copy_from_user(),
but the uninitialized stack buffer will be read and stored later. A call
to getsockopt() can now retrieve the leaked information.
To fix this problem the stack buffer given to copy_from_user() must be
initialized with the current settings.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/hci_sock.c')
| -rw-r--r-- | net/bluetooth/hci_sock.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 832b5f44be5c..bfc9a35bad33 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char break; case HCI_FILTER: + { + struct hci_filter *f = &hci_pi(sk)->filter; + + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + len = min_t(unsigned int, len, sizeof(uf)); if (copy_from_user(&uf, optval, len)) { err = -EFAULT; |