summaryrefslogtreecommitdiff
path: root/Documentation/device-mapper
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2019-01-18 13:43:19 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-04-03 06:25:07 +0200
commit2b59d36f22622c92c0b06aee7571f0a86a217188 (patch)
tree78180728a60cec212043479f6bdf686774625266 /Documentation/device-mapper
parent82868814a87236b17ac588fbb779c87616e99345 (diff)
Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 upstream. The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len as length value. The opt->len however is in control over the remote user and can be used by an attacker to gain access beyond the bounds of the actual packet. To prevent any potential leak of heap memory, it is enough to check that the resulting len calculation after calling l2cap_get_conf_opt is not below zero. A well formed packet will always return >= 0 here and will end with the length value being zero after the last option has been parsed. In case of malformed packets messing with the opt->len field the length value will become negative. If that is the case, then just abort and ignore the option. In case an attacker uses a too short opt->len value, then garbage will be parsed, but that is protected by the unknown option handling and also the option parameter size checks. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'Documentation/device-mapper')
0 files changed, 0 insertions, 0 deletions