Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp5613158img; Wed, 27 Mar 2019 11:43:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqzic+LFe4FRSD4tgw56jsYbNYIOLGWXwJ2X/V9qH2IThZLQ8yyFQBOlXuwrR+4GqUY0VTAO X-Received: by 2002:a62:1d0d:: with SMTP id d13mr2174155pfd.96.1553712187234; Wed, 27 Mar 2019 11:43:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553712187; cv=none; d=google.com; s=arc-20160816; b=l7Mjxz6BR8z+gyYYZMCbXKlnZ+CgY9liaLach0PH5pFxq69SOnQd7bbv3cfWejHytA Haj6ViJ8ZO9I291fbcGpAAc6Qsr2h477N861gtCDQciLIyfYUVwf1O3qG4eceoKmrNCZ om7YPzBx1k5b2Q0m1uMT0HVnc8u/1hiGK9sE4+ctsrPlTIQTWLhqZ6rGjQSdvB+xsRpH OLbi5wuRGh9TMVxVSoJLa9IJQO9SLOnTu55dxsDLZjBVdI4FVur4GHrD/b/fmxT+g29N pvH06X3mdPAKdErhfmxjkK4iO94DGDS6eD4QXe1OSyVmxJxmSmjrTwi0M5l4h7x8BNpb JYLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=gne2bFBGGZX3aYr+HixBRo6zGJyzLqTVLq3agP//7g4=; b=yznYZZxPuQu2SphaxUVXL9LWsroHE70YOBWGLgpMXSwHsg5RDz8qOnll79ZDcR/qLk AoY1rfn6TmU5eQWs4E90yXuwKwf8V2MhFhFQVdo8UhC4uA8n98mLydw36+zp9i08y9SU MB2MbG+eouw93Kg3Prf+T097blLwUXqWQA8EQQPLDvATal+V/BigFsUvrj6pyjJ/CINY DkCOMCCxghRyJACD9Op41MLMoV1yodi3jld5mmY9QFicmkTuHA6IDQ+qWlQ/Wdv7FH3q 0fgXeAJJ9gIZU2vw32q5v/55sUV0cKgyf8Ag6hqanubmKhEdjzvplBVuM0s9yAH0YTkg vI1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Tc0//F8k"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1si18756083pfn.10.2019.03.27.11.42.51; Wed, 27 Mar 2019 11:43:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="Tc0//F8k"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403978AbfC0SkL (ORCPT + 99 others); Wed, 27 Mar 2019 14:40:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:41192 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391050AbfC0SW7 (ORCPT ); Wed, 27 Mar 2019 14:22:59 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AD6BF20651; Wed, 27 Mar 2019 18:22:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1553710978; bh=+LUJOanJkJEyf+PV3rcDyKZwDUVat3Ztex4oi0PKwjw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Tc0//F8k3V/lyH/wwBJqM/JOs1ajYeoUbEPAGb5hyTeL2s2nAxYSHHkaIQQNXZI8f 4pTmwijb7ekoqAIbn5HX8KK7owP/FAZ9X65aDVuumD3nPTfs1cZVKhi72Uu1JV98bJ sG2U0jL06ydLbxf/lXaTd5faSBfFEefts0dhCFTo= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Marcel Holtmann , Johan Hedberg , Sasha Levin , linux-bluetooth@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.9 73/87] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Date: Wed, 27 Mar 2019 14:20:26 -0400 Message-Id: <20190327182040.17444-73-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190327182040.17444-1-sashal@kernel.org> References: <20190327182040.17444-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Marcel Holtmann [ Upstream commit 7c9cbd0b5e38a1672fcd137894ace3b042dfbf69 ] The function l2cap_get_conf_opt will return L2CAP_CONF_OPT_SIZE + opt->len as length value. The opt->len however is in control over the remote user and can be used by an attacker to gain access beyond the bounds of the actual packet. To prevent any potential leak of heap memory, it is enough to check that the resulting len calculation after calling l2cap_get_conf_opt is not below zero. A well formed packet will always return >= 0 here and will end with the length value being zero after the last option has been parsed. In case of malformed packets messing with the opt->len field the length value will become negative. If that is the case, then just abort and ignore the option. In case an attacker uses a too short opt->len value, then garbage will be parsed, but that is protected by the unknown option handling and also the option parameter size checks. Signed-off-by: Marcel Holtmann Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hedberg Signed-off-by: Sasha Levin --- net/bluetooth/l2cap_core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c index 1fc23cb4a3e0..bf7a2846a85f 100644 --- a/net/bluetooth/l2cap_core.c +++ b/net/bluetooth/l2cap_core.c @@ -3326,6 +3326,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&req, &type, &olen, &val); + if (len < 0) + break; hint = type & L2CAP_CONF_HINT; type &= L2CAP_CONF_MASK; @@ -3537,6 +3539,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len, while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_MTU: @@ -3717,6 +3721,8 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len) while (len >= L2CAP_CONF_OPT_SIZE) { len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val); + if (len < 0) + break; switch (type) { case L2CAP_CONF_RFC: -- 2.19.1