aboutsummaryrefslogtreecommitdiffstats
path: root/net/bluetooth
diff options
context:
space:
mode:
authorDavid Herrmann <dh.herrmann@gmail.com>2013-04-05 08:57:34 -0400
committerGustavo Padovan <gustavo.padovan@collabora.co.uk>2013-04-05 22:44:14 -0400
commitb3916db32c4a3124eee9f3742a2f4723731d7602 (patch)
tree342531410aa6985decfc173e3bf892d7b4ec47e8 /net/bluetooth
parentc849edbdc2fc3a9ba37ae6810d7a1e2c92b302d7 (diff)
Bluetooth: hidp: verify l2cap sockets
We need to verify that the given sockets actually are l2cap sockets. If they aren't, we are not supposed to access bt_sk(sock) and we shouldn't start the session if the offsets turn out to be valid local BT addresses. That is, if someone passes a TCP socket to HIDCONNADD, then we access some random offset in the TCP socket (which isn't even guaranteed to be valid). Fix this by checking that the socket is an l2cap socket. Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Diffstat (limited to 'net/bluetooth')
-rw-r--r--net/bluetooth/hidp/core.c2
-rw-r--r--net/bluetooth/l2cap_sock.c6
2 files changed, 8 insertions, 0 deletions
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 2342327f3335..4ab82cb3eac3 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -973,6 +973,8 @@ int hidp_add_connection(struct hidp_connadd_req *req, struct socket *ctrl_sock,
973 973
974 BT_DBG(""); 974 BT_DBG("");
975 975
976 if (!l2cap_is_socket(ctrl_sock) || !l2cap_is_socket(intr_sock))
977 return -EINVAL;
976 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) || 978 if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
977 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst)) 979 bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
978 return -ENOTUNIQ; 980 return -ENOTUNIQ;
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 7f9704993b74..141e7b058b7e 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -43,6 +43,12 @@ static void l2cap_sock_init(struct sock *sk, struct sock *parent);
43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock, 43static struct sock *l2cap_sock_alloc(struct net *net, struct socket *sock,
44 int proto, gfp_t prio); 44 int proto, gfp_t prio);
45 45
46bool l2cap_is_socket(struct socket *sock)
47{
48 return sock && sock->ops == &l2cap_sock_ops;
49}
50EXPORT_SYMBOL(l2cap_is_socket);
51
46static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) 52static int l2cap_sock_bind(struct socket *sock, struct sockaddr *addr, int alen)
47{ 53{
48 struct sock *sk = sock->sk; 54 struct sock *sk = sock->sk;