[PATCH] rfcomm: fix information leak in rfcomm_sock_bind

From: Insu Yun
Date: Tue Jan 05 2016 - 23:37:31 EST

Next message: Dan Williams: "Re: [PATCH v7 3/3] x86, mce: Add __mcsafe_copy()"
Previous message: Masahiro Yamada: "[PATCH 1/2] clk: add clk_unregister_fixed_factor()"
Next in thread: Marcel Holtmann: "Re: [PATCH] rfcomm: fix information leak in rfcomm_sock_bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

if addr_len < sizeof(sa), sa.rc_bdaddr(4bytes) can be leaked
by using rfcomm_sock_getname()

Signed-off-by: Insu Yun <wuninsu@xxxxxxxxx>
---
net/bluetooth/rfcomm/sock.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 7511df7..d61dfdc 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -336,14 +336,15 @@ static int rfcomm_sock_bind(struct socket *sock, struct sockaddr *addr, int addr
{
struct sockaddr_rc sa;
struct sock *sk = sock->sk;
- int len, err = 0;
+ int err = 0;

if (!addr || addr->sa_family != AF_BLUETOOTH)
return -EINVAL;

- memset(&sa, 0, sizeof(sa));
- len = min_t(unsigned int, sizeof(sa), addr_len);
- memcpy(&sa, addr, len);
+ if (addr_len != sizeof(sa))
+ return -EINVAL;
+
+ memcpy(&sa, addr, addr_len);

BT_DBG("sk %p %pMR", sk, &sa.rc_bdaddr);

--
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Dan Williams: "Re: [PATCH v7 3/3] x86, mce: Add __mcsafe_copy()"
Previous message: Masahiro Yamada: "[PATCH 1/2] clk: add clk_unregister_fixed_factor()"
Next in thread: Marcel Holtmann: "Re: [PATCH] rfcomm: fix information leak in rfcomm_sock_bind"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]