Author: dannf
Date: Tue Feb 27 08:13:41 2007
New Revision: 8327
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Log:
* 241_bluetooth-capi-size-checks.diff
[SECURITY] Add additional length checks to avoid potential remote
DoS attacks in the handling of CAPI messages in the bluetooth driver
See CVE-2006-6106
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
Tue Feb 27 08:13:41 2007
@@ -6,8 +6,12 @@
* [ERRATA] 240_smbfs-honor-mount-opts-2.diff
Fix some regressions with respect to file types (e.g., symlinks)
introduced by the fix for CVE-2006-5871 in 2.4.27-10sarge5
+ * 241_bluetooth-capi-size-checks.diff
+ [SECURITY] Add additional length checks to avoid potential remote
+ DoS attacks in the handling of CAPI messages in the bluetooth driver
+ See CVE-2006-6106
- -- dann frazier <[EMAIL PROTECTED]> Sat, 10 Feb 2007 14:02:16 -0700
+ -- dann frazier <[EMAIL PROTECTED]> Tue, 27 Feb 2007 00:10:14 -0700
kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
Added:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff
==============================================================================
--- (empty file)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff
Tue Feb 27 08:13:41 2007
@@ -0,0 +1,120 @@
+From: Marcel Holtmann <[EMAIL PROTECTED]>
+Date: Thu, 14 Dec 2006 12:53:31 +0000 (+0100)
+Subject: [PATCH] [Bluetooth] Add packet size checks for CAPI messages
(CVE-2006-6106)
+X-Git-Tag: v2.4.34-rc2~1
+X-Git-Url:
http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=58d134d0a42e96d01f545ca17efd2837b7ec90aa
+
+[PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)
+
+With malformed packets it might be possible to overwrite internal
+CMTP and CAPI data structures. This patch adds additional length
+checks to prevent these kinds of remote attacks.
+
+Signed-off-by: Marcel Holtmann <[EMAIL PROTECTED]>
+---
+
+diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
+index cc91b75..6273fe3 100644
+--- a/net/bluetooth/cmtp/capi.c
++++ b/net/bluetooth/cmtp/capi.c
+@@ -192,6 +192,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session
*session, struct sk_buff *s
+
+ switch (CAPIMSG_SUBCOMMAND(skb->data)) {
+ case CAPI_CONF:
++ if (skb->len < CAPI_MSG_BASELEN + 10)
++ break;
++
+ func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
+ info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
+
+@@ -222,6 +225,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session
*session, struct sk_buff *s
+ break;
+
+ case CAPI_FUNCTION_GET_PROFILE:
++ if (skb->len < CAPI_MSG_BASELEN + 11 +
sizeof(capi_profile))
++ break;
++
+ controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN +
11);
+ msgnum = CAPIMSG_MSGID(skb->data);
+
+@@ -242,17 +248,26 @@ static void cmtp_recv_interopmsg(struct cmtp_session
*session, struct sk_buff *s
+ break;
+
+ case CAPI_FUNCTION_GET_MANUFACTURER:
++ if (skb->len < CAPI_MSG_BASELEN + 15)
++ break;
++
+ controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
10);
+
+ if (!info && ctrl) {
++ int len = min_t(uint, CAPI_MANUFACTURER_LEN,
++ skb->data[CAPI_MSG_BASELEN +
14]);
++
++ memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
+ strncpy(ctrl->manu,
+- skb->data + CAPI_MSG_BASELEN + 15,
+- skb->data[CAPI_MSG_BASELEN + 14]);
++ skb->data + CAPI_MSG_BASELEN + 15, len);
+ }
+
+ break;
+
+ case CAPI_FUNCTION_GET_VERSION:
++ if (skb->len < CAPI_MSG_BASELEN + 32)
++ break;
++
+ controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
12);
+
+ if (!info && ctrl) {
+@@ -265,13 +280,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session
*session, struct sk_buff *s
+ break;
+
+ case CAPI_FUNCTION_GET_SERIAL_NUMBER:
++ if (skb->len < CAPI_MSG_BASELEN + 17)
++ break;
++
+ controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN +
12);
+
+ if (!info && ctrl) {
++ int len = min_t(uint, CAPI_SERIAL_LEN,
++ skb->data[CAPI_MSG_BASELEN +
16]);
++
+ memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
+ strncpy(ctrl->serial,
+- skb->data + CAPI_MSG_BASELEN + 17,
+- skb->data[CAPI_MSG_BASELEN + 16]);
++ skb->data + CAPI_MSG_BASELEN + 17, len);
+ }
+
+ break;
+@@ -280,14 +300,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session
*session, struct sk_buff *s
+ break;
+
+ case CAPI_IND:
++ if (skb->len < CAPI_MSG_BASELEN + 6)
++ break;
++
+ func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
+
+ if (func == CAPI_FUNCTION_LOOPBACK) {
++ int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
++ skb->data[CAPI_MSG_BASELEN +
5]);
+ appl = CAPIMSG_APPID(skb->data);
+ msgnum = CAPIMSG_MSGID(skb->data);
+ cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum,
func,
+- skb->data + CAPI_MSG_BASELEN +
6,
+- skb->data[CAPI_MSG_BASELEN +
5]);
++ skb->data + CAPI_MSG_BASELEN +
6, len);
+ }
+
+ break;
+@@ -305,6 +329,9 @@ void cmtp_recv_capimsg(struct cmtp_session *session,
struct sk_buff *skb)
+
+ BT_DBG("session %p skb %p len %d", session, skb, skb->len);
+
++ if (skb->len < CAPI_MSG_BASELEN)
++ return;
++
+ if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) {
+ cmtp_recv_interopmsg(session, skb);
+ return;
Modified:
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
---
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
(original)
+++
dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Tue Feb 27 08:13:41 2007
@@ -1,2 +1,3 @@
+ 239_mincore-hang.diff
+ 240_smbfs-honor-mount-opts-2.diff
++ 241_bluetooth-capi-size-checks.diff
_______________________________________________
Kernel-svn-changes mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/kernel-svn-changes
