Bug 157836

Summary:

Kernel: Multiple problems in net/bluetooth/cmtp/capi.c (CVE-2006-6106)

Product:

Gentoo Security

Reporter:

Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>

Component:

Kernel

Assignee:

Gentoo Security <security>

Status:

RESOLVED DUPLICATE

Severity:

normal

Priority:

High

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=commit;h=d4ea7f9f5554d94dcb8a630f470c724d05e8f112

Whiteboard:

[linux <2.6.16.38] [linux >=2.6.17 <2.6.18.6] [linux >=2.6.19 <2.6.19.2]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
patch-bluetooth-cmtp-length-checks	none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-12-11 08:07:44 UTC

Handling of incoming packet in net/bluetooth/cmtp/capi.c:

     case CAPI_FUNCTION_GET_SERIAL_NUMBER:
             controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
             if (!info && ctrl) {
                     memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
                     strncpy(ctrl->serial,
                             skb->data + CAPI_MSG_BASELEN + 17,
                             skb->data[CAPI_MSG_BASELEN + 16]);
             }
             break;

The "->serial" is "unsigned char[8]" and no checks are done on 
"skb->data[CAPI_MSG_BASELEN + 16]" incoming packet.

This could mess with "struct capi_ctr" from include/linux/isdn/capilli.h 
and give a posibility to overwrite "struct proc_dir_entry *procent;".

The "case CAPI_FUNCTION_GET_MANUFACTURER:" in the same place is dealing 
with same problem.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-12-11 08:08:30 UTC

Created attachment 103801 [details, diff]
patch-bluetooth-cmtp-length-checks

Comment 2 Harlan Lieberman-Berg (RETIRED) gentoo-dev

2007-05-21 23:39:48 UTC

Xen, this is you only. Past release date, so CC'ing herd isn't unacceptable.

Bump to 2.6.18.6 or 2.6.19.x, or patch.

Comment 3 Micheal Marineau (RETIRED) gentoo-dev

2007-08-26 23:33:09 UTC

(In reply to comment #2)
> Xen, this is you only. Past release date, so CC'ing herd isn't unacceptable.
> 
> Bump to 2.6.18.6 or 2.6.19.x, or patch.
> 

Fixed in xen-sources-2.6.18-r3

Comment 4 Bjoern Tropf (RETIRED) gentoo-dev

2009-07-11 09:07:15 UTC

http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=044a3e96c42df125bbc046495d49a6b8f380aa5a
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.18.y.git;a=commit;h=1dca7c280661c5741ac2eeb4b5386c1a566bf0b1
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=commit;h=d4ea7f9f5554d94dcb8a630f470c724d05e8f112

Comment 5 Bjoern Tropf (RETIRED) gentoo-dev

2009-07-13 19:00:58 UTC

Duplicate:
(CVE-2006-6106) http://bugs.gentoo.org/show_bug.cgi?id=158791

Comment 6 Bjoern Tropf (RETIRED) gentoo-dev

2009-07-13 19:02:01 UTC


*** This bug has been marked as a duplicate of bug 158791 ***