Re: [ 045/102] Bluetooth: Fix invalid length check inl2cap_information_rsp()

From: Greg Kroah-Hartman
Date: Fri Aug 09 2013 - 15:12:36 EST

Next message: Alexander Gordeev: "Re: [PATCH RESEND 0/1] AHCI: Optimize interrupt processing"
Previous message: scameron: "Re: Question about REQ_FLUSH and bios with data"
In reply to: Johan Hedberg: "Re: [ 045/102] Bluetooth: Fix invalid length check inl2cap_information_rsp()"
Next in thread: Greg Kroah-Hartman: "[ 040/102] mac80211: fix duplicate retransmission detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Aug 09, 2013 at 10:54:58AM +0300, Johan Hedberg wrote:
> Hi Greg,
>
> On Thu, Aug 08, 2013, Greg Kroah-Hartman wrote:
> > 3.10-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Jaganath Kanakkassery <jaganath.k@xxxxxxxxxxx>
> >
> > commit da9910ac4a816b4340944c78d94c02a35527db46 upstream.
> >
> > The length check is invalid since the length varies with type of
> > info response.
> >
> > This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888
> >
> > Because of this, l2cap info rsp is not handled and command reject is sent.
> >
> > > ACL data: handle 11 flags 0x02 dlen 16
> > L2CAP(s): Info rsp: type 2 result 0
> > Extended feature mask 0x00b8
> > Enhanced Retransmission mode
> > Streaming mode
> > FCS Option
> > Fixed Channels
> > < ACL data: handle 11 flags 0x00 dlen 10
> > L2CAP(s): Command rej: reason 0
> > Command not understood
> >
> > Signed-off-by: Jaganath Kanakkassery <jaganath.k@xxxxxxxxxxx>
> > Signed-off-by: Chan-Yeol Park <chanyeol.park@xxxxxxxxxxx>
> > Acked-by: Johan Hedberg <johan.hedberg@xxxxxxxxx>
> > Signed-off-by: Gustavo Padovan <gustavo.padovan@xxxxxxxxxxxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> >
> > ---
> > net/bluetooth/l2cap_core.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > --- a/net/bluetooth/l2cap_core.c
> > +++ b/net/bluetooth/l2cap_core.c
> > @@ -4240,7 +4240,7 @@ static inline int l2cap_disconnect_rsp(s
> > u16 dcid, scid;
> > struct l2cap_chan *chan;
> >
> > - if (cmd_len != sizeof(*rsp))
> > + if (cmd_len < sizeof(*rsp))
> > return -EPROTO;
> >
> > scid = __le16_to_cpu(rsp->scid);
>
> This patch is already in 3.10 so there should be no need to try to
> backport it (not to mention that this backport itself is incorrect in
> that it modifies l2cap_disconnect_rsp whereas the original patch
> modifies l2cap_information_rsp).
>
> For whatever reason this commit seems to exist twice in Linus' tree: once
> before the v3.10 tag with id 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 and
> once after the v3.10 tag with id da9910ac4a816b4340944c78d94c02a35527db46
> (which is the upstream commit id referenced by your commit message).

Thanks, this came into Linus's tree twice, I missed that. I've now
dropped this from the 3.10-stable queue.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexander Gordeev: "Re: [PATCH RESEND 0/1] AHCI: Optimize interrupt processing"
Previous message: scameron: "Re: Question about REQ_FLUSH and bios with data"
In reply to: Johan Hedberg: "Re: [ 045/102] Bluetooth: Fix invalid length check inl2cap_information_rsp()"
Next in thread: Greg Kroah-Hartman: "[ 040/102] mac80211: fix duplicate retransmission detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]