From: Thomas Graf <tgraf@redhat.com> Date: Thu, 23 Jun 2011 11:35:08 -0400 Subject: [net] bluetooth: l2cap and rfcomm: fix info leak to userspace Message-id: <20110623113507.GB23009@lsx.localdomain> Patchwork-id: 36922 O-Subject: [RHEL5.7 PATCH] bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace. Bugzilla: 703021 RH-Acked-by: David S. Miller <davem@redhat.com> RH-Acked-by: Petr Matousek <pmatouse@redhat.com> Due to alignment reasons, both struct l2cap_conninfo and rfcomm_conninfo contain a 1 byte hole which have been leaking data to userspace. Patch closes the leaks by memset'ing the structures. Fixes BZ703021 Brew: https://brewweb.devel.redhat.com/taskinfo?taskID=3423815 Upstream: commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f Author: Filip Palian <s3810@pjwstk.edu.pl> Date: Thu May 12 19:32:46 2011 +0200 Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace. Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding byte each. This byte in "cinfo" is copied to userspace uninitialized. Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c index 7b9f167..51b5fb6 100644 --- a/net/bluetooth/l2cap.c +++ b/net/bluetooth/l2cap.c @@ -1019,6 +1019,7 @@ static int l2cap_sock_getsockopt(struct socket *sock, int level, int optname, ch break; } + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index d48e8ac..87c6df0 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -766,6 +766,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);