From 20614b74e481f0c9f94032ae99f110d4647b65a6 Mon Sep 17 00:00:00 2001

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Date: Thu, 10 Jan 2019 07:28:33 +0100

Subject: [PATCH 1/2] Bluetooth: check message types in l2cap_get_conf_opt

l2cap_get_conf_opt can handle a "default" message type, but it needs to

be verified that it really is the correct type (CONF_EFS or CONF_RFC)

before passing it back to the caller.  To do this we need to check the

return value of this call now and handle the error correctly up the

stack.

Based on a patch from Ran Menscher.

Reported-by: Ran Menscher <ran.menscher@karambasecurity.com>

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Jeremy Cline <jcline@redhat.com>

---

 net/bluetooth/l2cap_core.c | 25 +++++++++++++++++++------

 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c

index d17a4736e47c..a0ce6e8e5ef7 100644

--- a/net/bluetooth/l2cap_core.c

+++ b/net/bluetooth/l2cap_core.c

@@ -2979,6 +2979,10 @@ static inline int l2cap_get_conf_opt(void **ptr, int *type, int *olen,

 		break;

 	default:

+		/* Only CONF_EFS and CONF_RFC are allowed here */

+		if ((opt->type != L2CAP_CONF_EFS) &&

+		    (opt->type != L2CAP_CONF_RFC))

+			return -EPROTO;

 		*val = (unsigned long) opt->val;

 		break;

 	}

@@ -3323,7 +3327,7 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data

 	void *endptr = data + data_size;

 	void *req = chan->conf_req;

 	int len = chan->conf_len;

-	int type, hint, olen;

+	int type, hint, olen, err;

 	unsigned long val;

 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };

 	struct l2cap_conf_efs efs;

@@ -3335,7 +3339,10 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data

 	BT_DBG("chan %p", chan);

 	while (len >= L2CAP_CONF_OPT_SIZE) {

-		len -= l2cap_get_conf_opt(&req, &type, &olen, &val;;

+		err = l2cap_get_conf_opt(&req, &type, &olen, &val;;

+		if (err < 0)

+			return err;

+		len -= err;

 		hint  = type & L2CAP_CONF_HINT;

 		type &= L2CAP_CONF_MASK;

@@ -3538,7 +3545,7 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,

 	struct l2cap_conf_req *req = data;

 	void *ptr = req->data;

 	void *endptr = data + size;

-	int type, olen;

+	int type, olen, err;

 	unsigned long val;

 	struct l2cap_conf_rfc rfc = { .mode = L2CAP_MODE_BASIC };

 	struct l2cap_conf_efs efs;

@@ -3546,7 +3553,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,

 	BT_DBG("chan %p, rsp %p, len %d, req %p", chan, rsp, len, data);

 	while (len >= L2CAP_CONF_OPT_SIZE) {

-		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val;;

+		err = l2cap_get_conf_opt(&rsp, &type, &olen, &val;;

+		if (err < 0)

+			return err;

+		len -= err;

 		switch (type) {

 		case L2CAP_CONF_MTU:

@@ -3706,7 +3716,7 @@ void __l2cap_connect_rsp_defer(struct l2cap_chan *chan)

 static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)

 {

-	int type, olen;

+	int type, olen, err;

 	unsigned long val;

 	/* Use sane default values in case a misbehaving remote device

 	 * did not send an RFC or extended window size option.

@@ -3726,7 +3736,10 @@ static void l2cap_conf_rfc_get(struct l2cap_chan *chan, void *rsp, int len)

 		return;

 	while (len >= L2CAP_CONF_OPT_SIZE) {

-		len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val;;

+		err = l2cap_get_conf_opt(&rsp, &type, &olen, &val;;

+		if (err < 0)

+			return;

+		len -= err;

 		switch (type) {

 		case L2CAP_CONF_RFC:

-- 

2.20.1

From 50cd5314f5ffa264906f4986f414750d648c4ece Mon Sep 17 00:00:00 2001

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Date: Thu, 10 Jan 2019 07:29:17 +0100

Subject: [PATCH 2/2] Bluetooth: check the buffer size for some messages before

 parsing

The L2CAP_CONF_EFS and L2CAP_CONF_RFC messages can be sent from

userspace so their structure sizes need to be checked before parsing

them.

Based on a patch from Ran Menscher.

Reported-by: Ran Menscher <ran.menscher@karambasecurity.com>

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Signed-off-by: Jeremy Cline <jcline@redhat.com>

---

 net/bluetooth/l2cap_core.c | 12 ++++++++----

 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c

index a0ce6e8e5ef7..d8d3cbdc0d29 100644

--- a/net/bluetooth/l2cap_core.c

+++ b/net/bluetooth/l2cap_core.c

@@ -3360,7 +3360,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data

 			break;

 		case L2CAP_CONF_RFC:

-			if (olen == sizeof(rfc))

+			if ((olen == sizeof(rfc)) &&

+			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc)))

 				memcpy(&rfc, (void *) val, olen);

 			break;

@@ -3370,7 +3371,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data

 			break;

 		case L2CAP_CONF_EFS:

-			if (olen == sizeof(efs)) {

+			if ((olen == sizeof(efs)) &&

+			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) {

 				remote_efs = 1;

 				memcpy(&efs, (void *) val, olen);

 			}

@@ -3575,7 +3577,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,

 			break;

 		case L2CAP_CONF_RFC:

-			if (olen == sizeof(rfc))

+			if ((olen == sizeof(rfc)) &&

+			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(rfc)))

 				memcpy(&rfc, (void *)val, olen);

 			if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&

@@ -3595,7 +3598,8 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,

 			break;

 		case L2CAP_CONF_EFS:

-			if (olen == sizeof(efs)) {

+			if ((olen == sizeof(efs)) &&

+			    (endptr - ptr >= L2CAP_CONF_OPT_SIZE + sizeof(efs))) {

 				memcpy(&efs, (void *)val, olen);

 				if (chan->local_stype != L2CAP_SERV_NOTRAFIC &&

-- 

2.20.1