git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Marcel Holtmann <marcel@holtmann.org>
	Tue, 19 Feb 2019 12:27:00 +0000 (13:27 +0100)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Tue, 12 Mar 2019 11:19:34 +0000 (12:19 +0100)
commit	dfdc31788e30d49075fda8310199321b1ed069f2
tree	5eb69450a6fd5ae1fea3ae898023752288f3f566	tree
parent	1775ed3641d84da65e1d99be115995ca246c7f22	commit \| diff

Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

When doing option parsing for standard type values of 1, 2 or 4 octets,
the value is converted directly into a variable instead of a pointer. To
avoid being tricked into being a pointer, check that for these option
types that sizes actually match. In L2CAP every option is fixed size and
thus it is prudent anyway to ensure that the remote side sends us the
right option size along with option paramters.

If the option size is not matching the option type, then that option is
silently ignored. It is a protocol violation and instead of trying to
give the remote attacker any further hints just pretend that option is
not present and proceed with the default values. Implementation
following the specification and its qualification procedures will always
use the correct size and thus not being impacted here.

To keep the code readable and consistent accross all options, a few
cosmetic changes were also required.

CVE-2019-3460

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
(cherry picked from commit af3d5d1c87664a4f150fcf3534c6567cb19909b0)
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>