Am Sonntag, den 18.10.2020, 10:05 +0200 schrieb Stefan Gottwald:
> Due to security reasons the rsp struct is not zerod out in one case this will
> also zero out the former set rsp.id which seems to be wrong.
>
> Signed-off-by: Stefan Gottwald <gotti79@xxxxxxxxxx>
> ---
> net/bluetooth/a2mp.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/bluetooth/a2mp.c b/net/bluetooth/a2mp.c
> index da7fd7c..7a1e0b7 100644
> --- a/net/bluetooth/a2mp.c
> +++ b/net/bluetooth/a2mp.c
> @@ -381,10 +381,11 @@ static int a2mp_getampassoc_req(struct amp_mgr *mgr, struct sk_buff *skb,
> hdev = hci_dev_get(req->id);
> if (!hdev || hdev->amp_type == AMP_TYPE_BREDR || tmp) {
> struct a2mp_amp_assoc_rsp rsp;
> - rsp.id = req->id;
>
> memset(&rsp, 0, sizeof(rsp));
>
> + rsp.id = req->id;
> +
> if (tmp) {
> rsp.status = A2MP_STATUS_COLLISION_OCCURED;
> amp_mgr_put(tmp);
As it seems I'm too slow there is already a fix from the author of the initial patch.
https://lore.kernel.org/linux-bluetooth/20201016180956.707681-2-luiz.dentz@xxxxxxxxx/
There is a additional patch in this series which might also be a important fix
https://lore.kernel.org/linux-bluetooth/20201016180956.707681-1-luiz.dentz@xxxxxxxxx/
Thanks to a LWN member pointing this out to me.
