From 0878b6667f28772aa7d6b735abff53efc7bf6d91 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Sat, 5 May 2007 00:35:59 +0200 Subject: [Bluetooth] Fix L2CAP and HCI setsockopt() information leaks The L2CAP and HCI setsockopt() implementations have a small information leak that makes it possible to leak kernel stack memory to userspace. If the optlen parameter is 0, no data will be copied by copy_from_user(), but the uninitialized stack buffer will be read and stored later. A call to getsockopt() can now retrieve the leaked information. To fix this problem the stack buffer given to copy_from_user() must be initialized with the current settings. Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_sock.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'net/bluetooth/hci_sock.c') diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c index 832b5f44be5..bfc9a35bad3 100644 --- a/net/bluetooth/hci_sock.c +++ b/net/bluetooth/hci_sock.c @@ -499,6 +499,15 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char break; case HCI_FILTER: + { + struct hci_filter *f = &hci_pi(sk)->filter; + + uf.type_mask = f->type_mask; + uf.opcode = f->opcode; + uf.event_mask[0] = *((u32 *) f->event_mask + 0); + uf.event_mask[1] = *((u32 *) f->event_mask + 1); + } + len = min_t(unsigned int, len, sizeof(uf)); if (copy_from_user(&uf, optval, len)) { err = -EFAULT; -- cgit v1.2.3