| Message ID | BANLkTik7WyQ977-+8XapTgBrVRMyexyHKg@mail.gmail.com |
|---|---|
| State | Awaiting Upstream, archived |
| Delegated to: | David Miller |
| Headers | show |
On Sun, May 08, 2011 at 21:57 +0200, Filip Palian wrote: > Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding > byte each. This byte in "cinfo" is copied to userspace uninitialized. Your mail client mangles the patch, it should contain original identation tabs, not spaces. Please see Documentation/email-clients.txt. > patch no.1: Don't send 2 patches as one email. Either send 2 email or merge them into one patch (if they are similar changes). You'll ease maintainers' work. > Found by Marek Kroemeke and Filip Palian. Please see Documentation/SubmittingPatches, chapter 12 to find out how to sign the patch. And please don't crosspost to oss-security and LKML - send a separate email to o-s with a short description of a bug and a link to the LKML thread. LKML thread is a place to argue and discuss the solution, but o-s subscribers are probably not interested in such a discussion. Thanks,
--- a/net/bluetooth/l2cap_sock.c 2011-05-04 03:59:13.000000000 +0100 +++ b/net/bluetooth/l2cap_sock.c 2011-05-08 18:57:20.000000000 +0100 @@ -446,6 +446,7 @@ static int l2cap_sock_getsockopt_old(str break; } + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); -- cut -- patch no.2: -- cut -- --- a/net/bluetooth/rfcomm/sock.c 2011-05-04 03:59:13.000000000 +0100 +++ b/net/bluetooth/rfcomm/sock.c 2011-05-08 19:00:24.000000000 +0100 @@ -787,6 +787,7 @@ static int rfcomm_sock_getsockopt_old(st l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + memset(&cinfo, 0, sizeof(cinfo)); cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);