Re: Patch "Bluetooth: Fix invalid length check in l2cap_information_rsp()" has been added to the 3.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 28, 2013 at 05:00:30PM +0400, Johan Hedberg wrote:
> Hi Luis,
> 
> On Fri, Jun 28, 2013, Luis Henriques wrote:
> > > --- a/net/bluetooth/l2cap_core.c
> > > +++ b/net/bluetooth/l2cap_core.c
> > > @@ -3399,7 +3399,7 @@ static inline int l2cap_move_channel_con
> > >  	struct l2cap_move_chan_cfm_rsp *rsp = data;
> > >  	u16 icid;
> > >  
> > > -	if (cmd_len != sizeof(*rsp))
> > > +	if (cmd_len < sizeof(*rsp))
> > >  		return -EPROTO;
> > >  
> > >  	icid = le16_to_cpu(rsp->icid);
> > >
> > 
> > I have doubts about the correctness of this backport: the original
> > commit modifies function l2cap_information_rsp(), while this backport
> > changes l2cap_move_channel_confirm_rsp().
> > 
> > Looking at mainline code, l2cap_move_channel_confirm_rsp() does not
> > contain the change you're introducing.  Maybe I'm misreading the code
> > and missing something.
> > 
> > Besides, the commit text claims it is fixing an issue introduced by
> > cb3b3152b2f5939d67005cff841a1ca748b19888, which is actually not
> > present in the 3.4 kernel.
> 
> Looks incorrect to me too. The commit that this depends on
> (cb3b3152b2f5939d67005cff841a1ca748b19888) did also have the Cc: stable
> tag, but it never made it to the 3.4 branch.

Thanks for both of you checking this out, I've now dropped it from the
3.4-stable tree.

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]