Handling of incoming packet in net/bluetooth/cmtp/capi.c: case CAPI_FUNCTION_GET_SERIAL_NUMBER: controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); if (!info && ctrl) { memset(ctrl->serial, 0, CAPI_SERIAL_LEN); strncpy(ctrl->serial, skb->data + CAPI_MSG_BASELEN + 17, skb->data[CAPI_MSG_BASELEN + 16]); } break; The "->serial" is "unsigned char[8]" and no checks are done on "skb->data[CAPI_MSG_BASELEN + 16]" incoming packet. This could mess with "struct capi_ctr" from include/linux/isdn/capilli.h and give a posibility to overwrite "struct proc_dir_entry *procent;". The "case CAPI_FUNCTION_GET_MANUFACTURER:" in the same place is dealing with same problem.
Created attachment 103801 [details, diff] patch-bluetooth-cmtp-length-checks
Xen, this is you only. Past release date, so CC'ing herd isn't unacceptable. Bump to 2.6.18.6 or 2.6.19.x, or patch.
(In reply to comment #2) > Xen, this is you only. Past release date, so CC'ing herd isn't unacceptable. > > Bump to 2.6.18.6 or 2.6.19.x, or patch. > Fixed in xen-sources-2.6.18-r3
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=044a3e96c42df125bbc046495d49a6b8f380aa5a http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.18.y.git;a=commit;h=1dca7c280661c5741ac2eeb4b5386c1a566bf0b1 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=commit;h=d4ea7f9f5554d94dcb8a630f470c724d05e8f112
Duplicate: (CVE-2006-6106) http://bugs.gentoo.org/show_bug.cgi?id=158791
*** This bug has been marked as a duplicate of bug 158791 ***
