[SRU] [T/X/B/C/D] [PATCH 0/1] CVE-2019-3459 - Heap address infoleak in use of l2cap_get_conf_opt
Kai Heng Feng
kai.heng.feng at canonical.com
Tue Feb 19 10:51:28 UTC 2019
> On Feb 19, 2019, at 11:48 AM, Kai-Heng Feng <kai.heng.feng at canonical.com> wrote:
>
> Heap data infoleak in multiple locations including
> functionl2cap_parse_conf_rsp
Copy-paste the wrong discription, it should be
"Heap address infoleak in use of l2cap_get_conf_opt”
instead.
Kai-Heng
>
> The fix itself is quite trivial, quote the commit message:
> "To prevent any potential leak of heap memory, it is enough to check
> that the resulting len calculation after calling l2cap_get_conf_opt is
> not below zero. A well formed packet will always return >= 0 here and
> will end with the length value being zero after the last option has been
> parsed. In case of malformed packets messing with the opt->len field the
> length value will become negative. If that is the case, then just abort
> and ignore the option."
>
> Marcel Holtmann (1):
> Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer
>
> net/bluetooth/l2cap_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> --
> 2.17.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list