ACK / APPLIED[D]: [X/B/C/D] [PATCH 1/1] Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt

[Seth Forshee]

On Tue, Feb 19, 2019 at 08:27:45PM +0800, Kai-Heng Feng wrote:
> From: Marcel Holtmann <marcel at holtmann.org>
> 
> When doing option parsing for standard type values of 1, 2 or 4 octets,
> the value is converted directly into a variable instead of a pointer. To
> avoid being tricked into being a pointer, check that for these option
> types that sizes actually match. In L2CAP every option is fixed size and
> thus it is prudent anyway to ensure that the remote side sends us the
> right option size along with option paramters.
> 
> If the option size is not matching the option type, then that option is
> silently ignored. It is a protocol violation and instead of trying to
> give the remote attacker any further hints just pretend that option is
> not present and proceed with the default values. Implementation
> following the specification and its qualification procedures will always
> use the correct size and thus not being impacted here.
> 
> To keep the code readable and consistent accross all options, a few
> cosmetic changes were also required.
> 
> CVE-2019-3460
> 
> Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
> Reviewed-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
> Signed-off-by: Johan Hedberg <johan.hedberg at intel.com>
> (cherry picked from commit af3d5d1c87664a4f150fcf3534c6567cb19909b0 linux-next)
> Signed-off-by: Kai-Heng Feng <kai.heng.feng at canonical.com>

I wish the cosmetic changes had been made in a later patch, but it all
looks safe to me. For this patch (I haven't reviewed the trusty
patches):

Acked-by: Seth Forshee <seth.forshee at canonical.com>

Applied to disco/master-next and unstable/master, thanks!