From: Chris Wright Date: Fri, 15 Dec 2006 01:01:49 +0000 (-0800) Subject: bluetooth fix from Marcel (CVE-2006-6106) for 2.6.18 X-Git-Tag: v2.6.18.6~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=15a3777b6da358461e46ace0650655e1998f890d;p=thirdparty%2Fkernel%2Fstable-queue.git bluetooth fix from Marcel (CVE-2006-6106) for 2.6.18 --- diff --git a/queue-2.6.18/bluetooth-add-packet-size-checks-for-capi-messages.patch b/queue-2.6.18/bluetooth-add-packet-size-checks-for-capi-messages.patch new file mode 100644 index 00000000000..c63c98f42ce --- /dev/null +++ b/queue-2.6.18/bluetooth-add-packet-size-checks-for-capi-messages.patch @@ -0,0 +1,121 @@ +From vendor-sec-admin@lst.de Mon Dec 11 06:28:38 2006 +Message-ID: <457D68B0.6060503@redhat.com> +From: Marcel Holtmann +CC: Al Viro +Subject: Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106) +Date: Mon, 11 Dec 2006 15:18:24 +0100 + +With malformed packets it might be possible to overwrite internal +CMTP and CAPI data structures. This patch adds additional length +checks to prevent these kinds of remote attacks. + +Signed-off-by: Marcel Holtmann +Signed-off-by: Chris Wright +--- + + net/bluetooth/cmtp/capi.c | 39 +++++++++++++++++++++++++++++++++------ + 1 file changed, 33 insertions(+), 6 deletions(-) + +--- linux-2.6.18.5.orig/net/bluetooth/cmtp/capi.c ++++ linux-2.6.18.5/net/bluetooth/cmtp/capi.c +@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct + + switch (CAPIMSG_SUBCOMMAND(skb->data)) { + case CAPI_CONF: ++ if (skb->len < CAPI_MSG_BASELEN + 10) ++ break; ++ + func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5); + info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8); + +@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct + break; + + case CAPI_FUNCTION_GET_PROFILE: ++ if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile)) ++ break; ++ + controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11); + msgnum = CAPIMSG_MSGID(skb->data); + +@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct + break; + + case CAPI_FUNCTION_GET_MANUFACTURER: ++ if (skb->len < CAPI_MSG_BASELEN + 15) ++ break; ++ + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10); + + if (!info && ctrl) { ++ int len = min_t(uint, CAPI_MANUFACTURER_LEN, ++ skb->data[CAPI_MSG_BASELEN + 14]); ++ ++ memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN); + strncpy(ctrl->manu, +- skb->data + CAPI_MSG_BASELEN + 15, +- skb->data[CAPI_MSG_BASELEN + 14]); ++ skb->data + CAPI_MSG_BASELEN + 15, len); + } + + break; + + case CAPI_FUNCTION_GET_VERSION: ++ if (skb->len < CAPI_MSG_BASELEN + 32) ++ break; ++ + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); + + if (!info && ctrl) { +@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct + break; + + case CAPI_FUNCTION_GET_SERIAL_NUMBER: ++ if (skb->len < CAPI_MSG_BASELEN + 17) ++ break; ++ + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); + + if (!info && ctrl) { ++ int len = min_t(uint, CAPI_SERIAL_LEN, ++ skb->data[CAPI_MSG_BASELEN + 16]); ++ + memset(ctrl->serial, 0, CAPI_SERIAL_LEN); + strncpy(ctrl->serial, +- skb->data + CAPI_MSG_BASELEN + 17, +- skb->data[CAPI_MSG_BASELEN + 16]); ++ skb->data + CAPI_MSG_BASELEN + 17, len); + } + + break; +@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct + break; + + case CAPI_IND: ++ if (skb->len < CAPI_MSG_BASELEN + 6) ++ break; ++ + func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3); + + if (func == CAPI_FUNCTION_LOOPBACK) { ++ int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6, ++ skb->data[CAPI_MSG_BASELEN + 5]); + appl = CAPIMSG_APPID(skb->data); + msgnum = CAPIMSG_MSGID(skb->data); + cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func, +- skb->data + CAPI_MSG_BASELEN + 6, +- skb->data[CAPI_MSG_BASELEN + 5]); ++ skb->data + CAPI_MSG_BASELEN + 6, len); + } + + break; +@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_sessi + + BT_DBG("session %p skb %p len %d", session, skb, skb->len); + ++ if (skb->len < CAPI_MSG_BASELEN) ++ return; ++ + if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) { + cmtp_recv_interopmsg(session, skb); + return; diff --git a/queue-2.6.18/series b/queue-2.6.18/series index 243d03f6bd1..b21cdc17bb5 100644 --- a/queue-2.6.18/series +++ b/queue-2.6.18/series @@ -21,3 +21,4 @@ skip-data-conversion-in-compat_sys_mount-when-data_page-is-null.patch softirq-remove-bug_ons-which-can-incorrectly-trigger.patch m32r-make-userspace-headers-platform-independent.patch forcedeth-disable-intx-when-enabling-msi-in-forcedeth.patch +bluetooth-add-packet-size-checks-for-capi-messages.patch