Hi Dan, * Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> [2011-06-24 08:38:05 -0400]: > A remote user can provide a small value for the command size field in > the command header of an l2cap configuration request, resulting in an > integer underflow when subtracting the size of the configuration request > header. This results in copying a very large amount of data via > memcpy() and destroying the kernel heap. Check for underflow. > > Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx> > Cc: stable <stable@xxxxxxxxxx> > --- > net/bluetooth/l2cap_core.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) Applied, thanks. Gustavo -- To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
