New issue
Advanced search Search tips

Issue 616290 link

Starred by 1 user
Status: Verified
Owner:
groeck@chromium.org
Closed: Jun 2016
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 1
Type: Bug



Sign in to add a comment

Bluetooth: Potential buffer overflow with Add Advertising

Project Member Reported by groeck@chromium.org, May 31 2016 
Upstream commit 6a0e78072c2ae:

Bluetooth: Fix potential buffer overflow with Add Advertising
    
    The Add Advertising command handler does the appropriate checks for
    the AD and Scan Response data, however fails to take into account the
    general length of the mgmt command itself, which could lead to
    potential buffer overflows. This patch adds the necessary check that
    the mgmt command length is consistent with the given ad and scan_rsp
    lengths.

Affects chromeos-4.4.
Project Member

Comment 1 by bugdroid1@chromium.org, Jun 1 2016

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/c77e78acaa87593716f1df39ee062df046ebdcc4

commit c77e78acaa87593716f1df39ee062df046ebdcc4
Author: Johan Hedberg <johan.hedberg@intel.com>
Date: Fri Mar 11 07:56:33 2016

UPSTREAM: Bluetooth: Fix potential buffer overflow with Add Advertising

The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.

BUG= chromium:616290 
TEST=None

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
(cherry picked from commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2)
Signed-off-by: Guenter Roeck <groeck@chromium.org>

Change-Id: I7011c169366fcffffb59b3275e2fd5280921fbec
Reviewed-on: https://chromium-review.googlesource.com/348461
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Wei-Ning Huang <wnhuang@chromium.org>

[modify] https://crrev.com/c77e78acaa87593716f1df39ee062df046ebdcc4/net/bluetooth/mgmt.c

Comment 2 by groeck@chromium.org, Jun 1 2016

Status: Verified (was: Started)

Sign in to add a comment