lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bluetooth: L2CAP: Fix attempting to access uninitialized memory

Browse Source 
commit b1a2cd50c0357f243b7435a732b4e62ba3157a2e upstream.

On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.

CVE: CVE-2022-42895
CC: stable@vger.kernel.org
Reported-by: Tamás Koczka <poprdi@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: Tedd Ho-Jeong An <tedd.an@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Luiz Augusto von Dentz 2022-10-31 16:10:52 -07:00 committed by Greg Kroah-Hartman
parent ad18f624e3
commit 6949400ec9
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
net/bluetooth/l2cap_core.c
View File

@ -3560,7 +3560,8 @@ done:
l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC, l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
sizeof(rfc), (unsigned long) &rfc, endptr - ptr); sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) { if (remote_efs &&
test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
chan->remote_id = efs.id; chan->remote_id = efs.id;
chan->remote_stype = efs.stype; chan->remote_stype = efs.stype;
chan->remote_msdu = le16_to_cpu(efs.msdu); chan->remote_msdu = le16_to_cpu(efs.msdu);