www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Marcel Holtmann <marcel@holtmann.org>
	Fri, 18 Jan 2019 12:43:19 +0000 (13:43 +0100)
committer	Brian Maly <brian.maly@oracle.com>
	Tue, 28 May 2019 19:43:45 +0000 (15:43 -0400)
commit	2b25986cb649b9d1cff8d6b2b4a84bb3aba536f8
tree	4ac5d6e837cd15aad12d0451457045346aa4eee3	tree
parent	5a3dabbecf465f5e3e91d2f25c4823b8f5f526c9	commit \| diff

Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer

The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len
as length value. The opt->len however is in control over the remote user
and can be used by an attacker to gain access beyond the bounds of the
actual packet.

To prevent any potential leak of heap memory, it is enough to check that
the resulting len calculation after calling l2cap_get_conf_opt is not
below zero. A well formed packet will always return >= 0 here and will
end with the length value being zero after the last option has been
parsed. In case of malformed packets messing with the opt->len field the
length value will become negative. If that is the case, then just abort
and ignore the option.

In case an attacker uses a too short opt->len value, then garbage will
be parsed, but that is protected by the unknown option handling and also
the option parameter size checks.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Orabug: 29526426
CVE: CVE-2019-3459
(cherry picked from commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69)
Signed-off-by: Dan Duval <dan.duval@oracle.com>
Reviewed-by: Jack Vogel <jack.vogel@oracle.com>
Signed-off-by: Brian Maly <brian.maly@oracle.com>