Skip to content

Commit f9432c5

Browse files
miniplidavem330
authored andcommitted
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
The RFCOMM code fails to initialize the two padding bytes of struct rfcomm_dev_list_req inserted for alignment before copying it to userland. Additionally there are two padding bytes in each instance of struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus dev_num times two bytes uninitialized kernel heap memory. Allocate the memory using kzalloc() to fix this issue. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent 9ad2de4 commit f9432c5

File tree

1 file changed

+1
-1
lines changed
  • net/bluetooth/rfcomm

1 file changed

+1
-1
lines changed

Diff for: net/bluetooth/rfcomm/tty.c

+1-1
Original file line numberDiff line numberDiff line change
@@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)
456456

457457
size = sizeof(*dl) + dev_num * sizeof(*di);
458458

459-
dl = kmalloc(size, GFP_KERNEL);
459+
dl = kzalloc(size, GFP_KERNEL);
460460
if (!dl)
461461
return -ENOMEM;
462462

0 commit comments

Comments
 (0)