aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth/hci_sock.c
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-05-04 18:35:59 -0400
committerMarcel Holtmann <marcel@holtmann.org>2007-05-04 18:35:59 -0400
commit0878b6667f28772aa7d6b735abff53efc7bf6d91 (patch)
tree5a1dbfb35f679335fbec4cbd17dfe64926db7750 /net/bluetooth/hci_sock.c
parentdc87c3985e9b442c60994308a96f887579addc39 (diff)
[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
The L2CAP and HCI setsockopt() implementations have a small information leak that makes it possible to leak kernel stack memory to userspace. If the optlen parameter is 0, no data will be copied by copy_from_user(), but the uninitialized stack buffer will be read and stored later. A call to getsockopt() can now retrieve the leaked information. To fix this problem the stack buffer given to copy_from_user() must be initialized with the current settings. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Diffstat (limited to 'net/bluetooth/hci_sock.c')
-rw-r--r--net/bluetooth/hci_sock.c9
1 files changed, 9 insertions, 0 deletions
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 832b5f44be5..bfc9a35bad3 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
499 break; 499 break;
500 500
501 case HCI_FILTER: 501 case HCI_FILTER:
502 {
503 struct hci_filter *f = &hci_pi(sk)->filter;
504
505 uf.type_mask = f->type_mask;
506 uf.opcode = f->opcode;
507 uf.event_mask[0] = *((u32 *) f->event_mask + 0);
508 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
509 }
510
502 len = min_t(unsigned int, len, sizeof(uf)); 511 len = min_t(unsigned int, len, sizeof(uf));
503 if (copy_from_user(&uf, optval, len)) { 512 if (copy_from_user(&uf, optval, len)) {
504 err = -EFAULT; 513 err = -EFAULT;