Hi Gustavo
On Tue, Feb 26, 2013 at 9:01 PM, Gustavo Padovan <gustavo@xxxxxxxxxxx> wrote:
> Hi David,
>
> * David Herrmann <dh.herrmann@xxxxxxxxx> [2013-02-24 19:36:54 +0100]:
>
>> We need to verify that the given sockets are actually l2cap sockets. If
>> they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
>> start the session if the offsets turn out to be valid local BT addresses.
>
> What is the issue you are trying to fix here, I don't get it.
Look what happens if you pass TCP sockets instead of l2cap sockets (or
any other kind of socket). In hidp_add_connection() we do:
if (bacmp(&bt_sk(ctrl_sock->sk)->src, &bt_sk(intr_sock->sk)->src) ||
bacmp(&bt_sk(ctrl_sock->sk)->dst, &bt_sk(intr_sock->sk)->dst))
Who guarantees that ctrl_sock->sk is a bt_sock? We shouldn't access
bt_sk(ctrl_sock->sk)->src if it's not a bt_sock. Because there might
be sockets that have a "struct X_sock" that is smaller than "bt_sock"
and hence, we would access unknown kernel memory.
>>
>> Signed-off-by: David Herrmann <dh.herrmann@xxxxxxxxx>
>> ---
>> include/net/bluetooth/l2cap.h | 1 +
>> net/bluetooth/hidp/core.c | 2 ++
>> net/bluetooth/l2cap_sock.c | 6 ++++++
>> 3 files changed, 9 insertions(+)
>>
>> diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
>> index 7588ef4..ae6210e 100644
>> --- a/include/net/bluetooth/l2cap.h
>> +++ b/include/net/bluetooth/l2cap.h
>> @@ -787,6 +787,7 @@ extern bool disable_ertm;
>>
>> int l2cap_init_sockets(void);
>> void l2cap_cleanup_sockets(void);
>> +bool is_l2cap_socket(struct socket *s);
>
> Make it l2cap_is_socket() or something like that. Use 'sk' instead of 's'.
I will fix that.
Thanks!
David
--
To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
