Hi Luiz
On Mon, 2022-10-31 at 16:10 -0700, Luiz Augusto von Dentz wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
>
> On l2cap_parse_conf_req the variable efs is only initialized if
> remote_efs has been set.
>
> CVE: CVE-2022-42895
> CC: stable@xxxxxxxxxxxxxxx
> Reported-by: Tamás Koczka <poprdi@xxxxxxxxxx>
Reviewed-by: Tedd Ho-Jeong An <tedd.an@xxxxxxxxx>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>
> ---
> net/bluetooth/l2cap_core.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
> index cdddd2c779f2..93802b27f2a5 100644
> --- a/net/bluetooth/l2cap_core.c
> +++ b/net/bluetooth/l2cap_core.c
> @@ -3764,7 +3764,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data
> l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,
> sizeof(rfc), (unsigned long) &rfc, endptr - ptr);
>
> - if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
> + if (remote_efs &&
> + test_bit(FLAG_EFS_ENABLE, &chan->flags)) {
> chan->remote_id = efs.id;
> chan->remote_stype = efs.stype;
> chan->remote_msdu = le16_to_cpu(efs.msdu);
Regards,
Tedd
