[kernel] r8326 - in dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Feb 27 07:07:59 UTC 2007 

Author: dannf
Date: Tue Feb 27 08:07:58 2007
New Revision: 8326

Added:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-capi-size-checks.dpatch
Modified:
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
   dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
Log:
* bluetooth-capi-size-checks.dpatch
  [SECURITY] Add additional length checks to avoid potential remote
  DoS attacks in the handling of CAPI messages in the bluetooth driver
  See CVE-2006-6106

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/changelog	Tue Feb 27 08:07:58 2007
@@ -20,9 +20,12 @@
     of the patch that went into 2.6.17.y. It would be better to fix the
     receiving end, but no patch for the era kernel has been developed yet.
     See CVE-2006-4623
-    
+  * bluetooth-capi-size-checks.dpatch
+    [SECURITY] Add additional length checks to avoid potential remote
+    DoS attacks in the handling of CAPI messages in the bluetooth driver
+    See CVE-2006-6106
 
- -- dann frazier <dannf at debian.org>  Sat, 10 Feb 2007 13:53:53 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 27 Feb 2007 00:00:25 -0700
 
 kernel-source-2.6.8 (2.6.8-16sarge6) stable-security; urgency=high
 

Added: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-capi-size-checks.dpatch
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/bluetooth-capi-size-checks.dpatch	Tue Feb 27 08:07:58 2007
@@ -0,0 +1,120 @@
+From: Marcel Holtmann <marcel at holtmann.org>
+Date: Mon, 8 Jan 2007 01:16:23 +0000 (+0100)
+Subject: [Bluetooth] Add packet size checks for CAPI messages
+X-Git-Tag: v2.6.20^0~239^2~15
+X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=f4777569204cb59f2f04fbe9ef4e9a6918209104;hp=d2e7543c41755f4ec75385536b109d5f084fe734
+
+[Bluetooth] Add packet size checks for CAPI messages
+
+With malformed packets it might be possible to overwrite internal
+CMTP and CAPI data structures. This patch adds additional length
+checks to prevent these kinds of remote attacks.
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+
+diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
+index be04e9f..ab166b4 100644
+--- a/net/bluetooth/cmtp/capi.c
++++ b/net/bluetooth/cmtp/capi.c
+@@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 
+ 	switch (CAPIMSG_SUBCOMMAND(skb->data)) {
+ 	case CAPI_CONF:
++		if (skb->len < CAPI_MSG_BASELEN + 10)
++			break;
++
+ 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
+ 		info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
+ 
+@@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_PROFILE:
++			if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile))
++				break;
++
+ 			controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11);
+ 			msgnum = CAPIMSG_MSGID(skb->data);
+ 
+@@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_MANUFACTURER:
++			if (skb->len < CAPI_MSG_BASELEN + 15)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10);
+ 
+ 			if (!info && ctrl) {
++				int len = min_t(uint, CAPI_MANUFACTURER_LEN,
++						skb->data[CAPI_MSG_BASELEN + 14]);
++
++				memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
+ 				strncpy(ctrl->manu,
+-					skb->data + CAPI_MSG_BASELEN + 15,
+-					skb->data[CAPI_MSG_BASELEN + 14]);
++					skb->data + CAPI_MSG_BASELEN + 15, len);
+ 			}
+ 
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_VERSION:
++			if (skb->len < CAPI_MSG_BASELEN + 32)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
+ 
+ 			if (!info && ctrl) {
+@@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_SERIAL_NUMBER:
++			if (skb->len < CAPI_MSG_BASELEN + 17)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
+ 
+ 			if (!info && ctrl) {
++				int len = min_t(uint, CAPI_SERIAL_LEN,
++						skb->data[CAPI_MSG_BASELEN + 16]);
++
+ 				memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
+ 				strncpy(ctrl->serial,
+-					skb->data + CAPI_MSG_BASELEN + 17,
+-					skb->data[CAPI_MSG_BASELEN + 16]);
++					skb->data + CAPI_MSG_BASELEN + 17, len);
+ 			}
+ 
+ 			break;
+@@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 		break;
+ 
+ 	case CAPI_IND:
++		if (skb->len < CAPI_MSG_BASELEN + 6)
++			break;
++
+ 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
+ 
+ 		if (func == CAPI_FUNCTION_LOOPBACK) {
++			int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
++						skb->data[CAPI_MSG_BASELEN + 5]);
+ 			appl = CAPIMSG_APPID(skb->data);
+ 			msgnum = CAPIMSG_MSGID(skb->data);
+ 			cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func,
+-						skb->data + CAPI_MSG_BASELEN + 6,
+-						skb->data[CAPI_MSG_BASELEN + 5]);
++						skb->data + CAPI_MSG_BASELEN + 6, len);
+ 		}
+ 
+ 		break;
+@@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
+ 
+ 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
+ 
++	if (skb->len < CAPI_MSG_BASELEN)
++		return;
++
+ 	if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) {
+ 		cmtp_recv_interopmsg(session, skb);
+ 		return;

Modified: dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7
==============================================================================
--- dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	(original)
+++ dists/sarge-security/kernel/source/kernel-source-2.6.8-2.6.8/debian/patches/series/2.6.8-16sarge7	Tue Feb 27 08:07:58 2007
@@ -3,3 +3,4 @@
 + dev_queue_xmit-error-path.dpatch
 + dvb-core-handle-0-length-ule-sndu.dpatch
 + smbfs-honor-mount-opts-2.dpatch
++ bluetooth-capi-size-checks.dpatch

More information about the Kernel-svn-changes mailing list