[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks The L2CAP and HCI setsockopt() implementations have a small information leak that makes it possible to leak kernel stack memory to userspace. If the optlen parameter is 0, no data will be copied by copy_from_user(), but the uninitialized stack buffer will be read and stored later. A call to getsockopt() can now retrieve the leaked information. To fix this problem the stack buffer given to copy_from_user() must be initialized with the current settings. Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

commit: 0878b6667f28772aa7d6b735abff53efc7bf6d91 [log] [tgz]
author: Marcel Holtmann <marcel@holtmann.org> Sat May 05 00:35:59 2007 +0200
committer: Marcel Holtmann <marcel@holtmann.org> Sat May 05 00:35:59 2007 +0200
tree: 5a1dbfb35f679335fbec4cbd17dfe64926db7750
parent: dc87c3985e9b442c60994308a96f887579addc39 [diff] [blame]
diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c
index a586787..a59b1fb 100644
--- a/net/bluetooth/l2cap.c
+++ b/net/bluetooth/l2cap.c

@@ -954,11 +954,17 @@
 
 	switch (optname) {
 	case L2CAP_OPTIONS:
+		opts.imtu     = l2cap_pi(sk)->imtu;
+		opts.omtu     = l2cap_pi(sk)->omtu;
+		opts.flush_to = l2cap_pi(sk)->flush_to;
+		opts.mode     = 0x00;
+
 		len = min_t(unsigned int, sizeof(opts), optlen);
 		if (copy_from_user((char *) &opts, optval, len)) {
 			err = -EFAULT;
 			break;
 		}
+
 		l2cap_pi(sk)->imtu  = opts.imtu;
 		l2cap_pi(sk)->omtu  = opts.omtu;
 		break;
commit	0878b6667f28772aa7d6b735abff53efc7bf6d91	[log] [tgz]
author	Marcel Holtmann <marcel@holtmann.org>	Sat May 05 00:35:59 2007 +0200
committer	Marcel Holtmann <marcel@holtmann.org>	Sat May 05 00:35:59 2007 +0200
tree	5a1dbfb35f679335fbec4cbd17dfe64926db7750
parent	dc87c3985e9b442c60994308a96f887579addc39 [diff] [blame]