Patchwork [3.5.y.z,extended,stable] Patch "Bluetooth: RFCOMM - Fix missing msg_namelen update in" has been added to staging queue

mail settings
Submitter Luis Henriques
Date May 1, 2013, 11:33 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/240836/
State New
Headers show


Luis Henriques - May 1, 2013, 11:33 p.m.
This is a note to let you know that I have just added a patch titled

    Bluetooth: RFCOMM - Fix missing msg_namelen update in

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From f02d73787fae521288eba4a524f7b7d8506f8b67 Mon Sep 17 00:00:00 2001
From: Mathias Krause <>
Date: Sun, 7 Apr 2013 01:51:50 +0000
Subject: [PATCH] Bluetooth: RFCOMM - Fix missing msg_namelen update in

commit e11e0455c0d7d3d62276a0c55d9dfbc16779d691 upstream.

If RFCOMM_DEFER_SETUP is set in the flags, rfcomm_sock_recvmsg() returns
early with 0 without updating the possibly set msg_namelen member. This,
in turn, leads to a 128 byte kernel stack leak in net/socket.c.

Fix this by updating msg_namelen in this case. For all other cases it
will be handled in bt_sock_stream_recvmsg().

Cc: Marcel Holtmann <>
Cc: Gustavo Padovan <>
Cc: Johan Hedberg <>
Signed-off-by: Mathias Krause <>
Signed-off-by: David S. Miller <>
Signed-off-by: Luis Henriques <>
 net/bluetooth/rfcomm/sock.c | 1 +
 1 file changed, 1 insertion(+)



diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
index 20bd148..514bead 100644
--- a/net/bluetooth/rfcomm/sock.c
+++ b/net/bluetooth/rfcomm/sock.c
@@ -629,6 +629,7 @@  static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock,

 	if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) {
+		msg->msg_namelen = 0;
 		return 0;