Bluetooth: Properly check L2CAP config option output buffer length #1

Merged
merged 1 commit into from Sep 28, 2017

Conversation

Projects
None yet
2 participants
Owner

mariogrip commented Sep 28, 2017

Patch for Blueborne (CVE-2017-1000251)

From: Ben Seri ben@armis.com

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri ben@armis.com
Signed-off-by: Marcel Holtmann marcel@holtmann.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.orgFrom: Ben Seri ben@armis.com

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri ben@armis.com
Signed-off-by: Marcel Holtmann marcel@holtmann.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org

Bluetooth: Properly check L2CAP config option output buffer length
4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Seri <ben@armis.com>

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

@mariogrip mariogrip merged commit 2669fa0 into ubp-5.1 Sep 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment