Sophie

Sophie

distrib > CentOS > 5 > i386 > by-pkgid > ea32411352494358b8d75a78402a4713 > files > 2439

kernel-2.6.18-238.19.1.el5.centos.plus.src.rpm

From: Thomas Graf <tgraf@redhat.com>
Date: Thu, 23 Jun 2011 11:35:08 -0400
Subject: [net] bluetooth: l2cap and rfcomm: fix info leak to userspace
Message-id: <20110623113507.GB23009@lsx.localdomain>
Patchwork-id: 36922
O-Subject: [RHEL5.7 PATCH] bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
Bugzilla: 703021
RH-Acked-by: David S. Miller <davem@redhat.com>
RH-Acked-by: Petr Matousek <pmatouse@redhat.com>

Due to alignment reasons, both struct l2cap_conninfo and rfcomm_conninfo
contain a 1 byte hole which have been leaking data to userspace. Patch
closes the leaks by memset'ing the structures.

Fixes BZ703021

Brew:
https://brewweb.devel.redhat.com/taskinfo?taskID=3423815

Upstream:
commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f
Author: Filip Palian <s3810@pjwstk.edu.pl>
Date:   Thu May 12 19:32:46 2011 +0200

    Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

    Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
    byte each. This byte in "cinfo" is copied to userspace uninitialized.

    Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl>
    Acked-by: Marcel Holtmann <marcel@holtmann.org>
    Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index 7b9f167..51b5fb6 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c
@@ -1019,6 +1019,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch
 			break;
 		}
 
+		memset(&cinfo, 0, sizeof(cinfo));
 		cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
 		memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
 
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index d48e8ac..87c6df0 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -766,6 +766,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
 
 		l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
 
+		memset(&cinfo, 0, sizeof(cinfo));
 		cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
 		memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional