android/android_kernel_asus_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ba1d6936f6
android_kernel_asus_sm8350/net/bluetooth
History
Johan Hedberg ba1d6936f6 Bluetooth: Fix buffer overflow with variable length commands 
The handler for variable length commands were trying to calculate the
expected length of the command based on the given parameter count, and
then comparing that with the received data. However, the expected count
was stored in a u16 which can easily overflow. With a carefully crafted
command this can then be made to match the given data even though the
parameter count is actually way too big, resulting in a buffer overflow
when parsing the parameters.

This patch fixes the issue by calculating a per-command maximum
parameter count and returns INVALID_PARAMS if it is exceeded.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2014-07-03 17:42:59 +02:00
..
bnep net/*: Fix FSF address in file headers 2013-12-06 12:37:57 -05:00
cmtp Bluetooth: Access CMTP session addresses through L2CAP channel 2013-10-13 20:00:30 +03:00
hidp Merge branch 'for-3.15/hid-core-ll-transport-cleanup' into for-linus 2014-04-01 19:05:09 +02:00
rfcomm Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2014-05-29 13:03:47 -04:00
6lowpan.c Bluetooth: 6LoWPAN: Remove network devices when unloading 2014-07-03 17:42:44 +02:00
a2mp.c Bluetooth: Provide L2CAP ops callback for memcpy_fromiovec 2014-07-03 17:42:43 +02:00
a2mp.h Bluetooth: Move a2mp.h header file into net/bluetooth/ 2013-10-11 00:10:05 +02:00
af_bluetooth.c Bluetooth: constify seq_operations 2014-07-03 17:42:52 +02:00
amp.c Bluetooth: Remove l2cap_conn->dst usage from AMP manager 2013-10-13 17:43:32 +03:00
amp.h Bluetooth: Move amp.h header file into net/bluetooth/ 2013-10-11 00:10:03 +02:00
hci_conn.c Bluetooth: Make hci_le_conn_update return the store hint 2014-07-03 17:42:57 +02:00
hci_core.c Bluetooth: Add support for background LE scanning 2014-07-03 17:42:59 +02:00
hci_event.c Bluetooth: Support scanning for devices using RPA 2014-07-03 17:42:59 +02:00
hci_sock.c Bluetooth: Add support for Unconfigured Index Added events 2014-07-03 17:42:58 +02:00
hci_sysfs.c Bluetooth: Convert to use ATTRIBUTE_GROUPS macro 2014-02-13 09:51:34 +02:00
Kconfig Bluetooth: 6LoWPAN: Create a kernel module 2014-07-03 17:42:44 +02:00
l2cap_core.c Bluetooth: Pass store hint to mgmt_new_conn_param 2014-07-03 17:42:57 +02:00
l2cap_sock.c Bluetooth: Allow L2CAP getpeername() for BT_CONFIG state 2014-07-03 17:42:52 +02:00
lib.c Bluetooth: Add error mapping for Directed Advertising Timeout 2014-03-26 09:31:36 -07:00
Makefile Bluetooth: 6LoWPAN: Create a kernel module 2014-07-03 17:42:44 +02:00
mgmt.c Bluetooth: Fix buffer overflow with variable length commands 2014-07-03 17:42:59 +02:00
sco.c net: Fix use after free by removing length arg from sk_data_ready callbacks. 2014-04-11 16:15:36 -04:00
smp.c Bluetooth: Allow re-encryption with LTK when STK is in use 2014-07-03 17:42:54 +02:00
smp.h Bluetooth: Remove HCI prefix from SMP LTK defines 2014-07-03 17:42:42 +02:00