Bluetooth: Properly check L2CAP config option output buffer length #1

Merged

mariogrip merged 1 commit into ubp-5.1 from CVE-2017-1000251

Sep 28, 2017

Owner

mariogrip commented Sep 28, 2017

Patch for Blueborne (CVE-2017-1000251)

From: Ben Seri ben@armis.com

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri ben@armis.com
Signed-off-by: Marcel Holtmann marcel@holtmann.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.orgFrom: Ben Seri ben@armis.com

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri ben@armis.com
Signed-off-by: Marcel Holtmann marcel@holtmann.org
Signed-off-by: Linus Torvalds torvalds@linux-foundation.org
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org


      Bluetooth: Properly check L2CAP config option output buffer length

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Seri <ben@armis.com>

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

f0b4fb5

mariogrip merged commit `2669fa0` into ubp-5.1 Sep 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

You can't perform that action at this time.