This is a note to let you know that I've just added the patch titled
Bluetooth: bnep: fix buffer overflow
to the 2.6.38-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-bnep-fix-buffer-overflow.patch
and it can be found in the queue-2.6.38 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 43629f8f5ea32a998d06d1bb41eefa0e821ff573 Mon Sep 17 00:00:00 2001
From: Vasiliy Kulikov <[email protected]>
Date: Mon, 14 Feb 2011 13:54:31 +0300
Subject: Bluetooth: bnep: fix buffer overflow
From: Vasiliy Kulikov <[email protected]>
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.
Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: Vasiliy Kulikov <[email protected]>
Signed-off-by: Gustavo F. Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/bnep/sock.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {
Patches currently in stable-queue which might be from [email protected] are
queue-2.6.38/bluetooth-bnep-fix-buffer-overflow.patch
queue-2.6.38/bridge-netfilter-fix-information-leak.patch
queue-2.6.38/bluetooth-sco-fix-information-leak-to-userspace.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
