Skip to content
Snippets Groups Projects
Commit 8282e42e authored by Marcel Holtmann's avatar Marcel Holtmann Committed by 谢秀奇
Browse files

Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt


mainline inclusion
from mainline-5.0
commit af3d5d1c
category: bugfix
bugzilla: NA
CVE: CVE-2019-3460

-------------------------------------------------

When doing option parsing for standard type values of 1, 2 or 4 octets,
the value is converted directly into a variable instead of a pointer. To
avoid being tricked into being a pointer, check that for these option
types that sizes actually match. In L2CAP every option is fixed size and
thus it is prudent anyway to ensure that the remote side sends us the
right option size along with option paramters.

If the option size is not matching the option type, then that option is
silently ignored. It is a protocol violation and instead of trying to
give the remote attacker any further hints just pretend that option is
not present and proceed with the default values. Implementation
following the specification and its qualification procedures will always
use the correct size and thus not being impacted here.

To keep the code readable and consistent accross all options, a few
cosmetic changes were also required.

Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJohan Hedberg <johan.hedberg@intel.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent a3dbdb59
No related branches found
No related tags found
No related merge requests found
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment