Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 103801 Details for
Bug 157836
Kernel: Multiple problems in net/bluetooth/cmtp/capi.c (CVE-2006-6106)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch-bluetooth-cmtp-length-checks
patch-bluetooth-cmtp-length-checks (text/plain), 3.63 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-12-11 08:08:30 UTC
(
hide
)
Description:
patch-bluetooth-cmtp-length-checks
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-12-11 08:08:30 UTC
Size:
3.63 KB
patch
obsolete
>[Bluetooth] Add packet size checks for CAPI messages > >With malformed packets it might be possible to overwrite internal >CMTP and CAPI data structures. This patch adds additional length >checks to prevent these kinds of remote attacks. > >Signed-off-by: Marcel Holtmann <marcel@holtmann.org> > >--- >commit b48c561376403b411921ac69e5d06899f1f98f53 >tree 833d4389d00f5bf41e005d798d4db79e635a12c8 >parent 9202f32558601c2c99ddc438eb3218131d00d413 >author Marcel Holtmann <marcel@holtmann.org> Mon, 11 Dec 2006 15:02:01 +0100 >committer Marcel Holtmann <marcel@holtmann.org> Mon, 11 Dec 2006 15:02:01 +0100 > > net/bluetooth/cmtp/capi.c | 39 +++++++++++++++++++++++++++++++++------ > 1 files changed, 33 insertions(+), 6 deletions(-) > >diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c >index be04e9f..ab166b4 100644 >--- a/net/bluetooth/cmtp/capi.c >+++ b/net/bluetooth/cmtp/capi.c >@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct > > switch (CAPIMSG_SUBCOMMAND(skb->data)) { > case CAPI_CONF: >+ if (skb->len < CAPI_MSG_BASELEN + 10) >+ break; >+ > func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5); > info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8); > >@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct > break; > > case CAPI_FUNCTION_GET_PROFILE: >+ if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile)) >+ break; >+ > controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11); > msgnum = CAPIMSG_MSGID(skb->data); > >@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct > break; > > case CAPI_FUNCTION_GET_MANUFACTURER: >+ if (skb->len < CAPI_MSG_BASELEN + 15) >+ break; >+ > controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10); > > if (!info && ctrl) { >+ int len = min_t(uint, CAPI_MANUFACTURER_LEN, >+ skb->data[CAPI_MSG_BASELEN + 14]); >+ >+ memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN); > strncpy(ctrl->manu, >- skb->data + CAPI_MSG_BASELEN + 15, >- skb->data[CAPI_MSG_BASELEN + 14]); >+ skb->data + CAPI_MSG_BASELEN + 15, len); > } > > break; > > case CAPI_FUNCTION_GET_VERSION: >+ if (skb->len < CAPI_MSG_BASELEN + 32) >+ break; >+ > controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); > > if (!info && ctrl) { >@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct > break; > > case CAPI_FUNCTION_GET_SERIAL_NUMBER: >+ if (skb->len < CAPI_MSG_BASELEN + 17) >+ break; >+ > controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); > > if (!info && ctrl) { >+ int len = min_t(uint, CAPI_SERIAL_LEN, >+ skb->data[CAPI_MSG_BASELEN + 16]); >+ > memset(ctrl->serial, 0, CAPI_SERIAL_LEN); > strncpy(ctrl->serial, >- skb->data + CAPI_MSG_BASELEN + 17, >- skb->data[CAPI_MSG_BASELEN + 16]); >+ skb->data + CAPI_MSG_BASELEN + 17, len); > } > > break; >@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct > break; > > case CAPI_IND: >+ if (skb->len < CAPI_MSG_BASELEN + 6) >+ break; >+ > func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3); > > if (func == CAPI_FUNCTION_LOOPBACK) { >+ int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6, >+ skb->data[CAPI_MSG_BASELEN + 5]); > appl = CAPIMSG_APPID(skb->data); > msgnum = CAPIMSG_MSGID(skb->data); > cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func, >- skb->data + CAPI_MSG_BASELEN + 6, >- skb->data[CAPI_MSG_BASELEN + 5]); >+ skb->data + CAPI_MSG_BASELEN + 6, len); > } > > break; >@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_sessi > > BT_DBG("session %p skb %p len %d", session, skb, skb->len); > >+ if (skb->len < CAPI_MSG_BASELEN) >+ return; >+ > if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) { > cmtp_recv_interopmsg(session, skb); > return;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=103801">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 157836
: 103801
