Please sign in to comment.
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
The RFCOMM code fails to initialize the two padding bytes of struct rfcomm_dev_list_req inserted for alignment before copying it to userland. Additionally there are two padding bytes in each instance of struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus dev_num times two bytes uninitialized kernel heap memory. Allocate the memory using kzalloc() to fix this issue. Signed-off-by: Mathias Krause <firstname.lastname@example.org> Cc: Marcel Holtmann <email@example.com> Cc: Gustavo Padovan <firstname.lastname@example.org> Cc: Johan Hedberg <email@example.com> Signed-off-by: David S. Miller <firstname.lastname@example.org>
- Loading branch information...