[kernel] r8327 - in dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian: . patches patches/series

Dann Frazier dannf at alioth.debian.org
Tue Feb 27 07:13:42 UTC 2007 

Author: dannf
Date: Tue Feb 27 08:13:41 2007
New Revision: 8327

Added:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff
Modified:
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
   dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
Log:
* 241_bluetooth-capi-size-checks.diff
  [SECURITY] Add additional length checks to avoid potential remote
  DoS attacks in the handling of CAPI messages in the bluetooth driver
  See CVE-2006-6106

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/changelog	Tue Feb 27 08:13:41 2007
@@ -6,8 +6,12 @@
   * [ERRATA] 240_smbfs-honor-mount-opts-2.diff
     Fix some regressions with respect to file types (e.g., symlinks)
     introduced by the fix for CVE-2006-5871 in 2.4.27-10sarge5
+  * 241_bluetooth-capi-size-checks.diff
+    [SECURITY] Add additional length checks to avoid potential remote
+    DoS attacks in the handling of CAPI messages in the bluetooth driver
+    See CVE-2006-6106
 
- -- dann frazier <dannf at debian.org>  Sat, 10 Feb 2007 14:02:16 -0700
+ -- dann frazier <dannf at debian.org>  Tue, 27 Feb 2007 00:10:14 -0700
 
 kernel-source-2.4.27 (2.4.27-10sarge5) stable-security; urgency=high
 

Added: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff
==============================================================================
--- (empty file)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/241_bluetooth-capi-size-checks.diff	Tue Feb 27 08:13:41 2007
@@ -0,0 +1,120 @@
+From: Marcel Holtmann <holtmann at redhat.com>
+Date: Thu, 14 Dec 2006 12:53:31 +0000 (+0100)
+Subject: [PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)
+X-Git-Tag: v2.4.34-rc2~1
+X-Git-Url: http://www.kernel.org/git/?p=linux%2Fkernel%2Fgit%2Fwtarreau%2Flinux-2.4.git;a=commitdiff_plain;h=58d134d0a42e96d01f545ca17efd2837b7ec90aa
+
+[PATCH] [Bluetooth] Add packet size checks for CAPI messages (CVE-2006-6106)
+
+With malformed packets it might be possible to overwrite internal
+CMTP and CAPI data structures. This patch adds additional length
+checks to prevent these kinds of remote attacks.
+
+Signed-off-by: Marcel Holtmann <marcel at holtmann.org>
+---
+
+diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c
+index cc91b75..6273fe3 100644
+--- a/net/bluetooth/cmtp/capi.c
++++ b/net/bluetooth/cmtp/capi.c
+@@ -192,6 +192,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 
+ 	switch (CAPIMSG_SUBCOMMAND(skb->data)) {
+ 	case CAPI_CONF:
++		if (skb->len < CAPI_MSG_BASELEN + 10)
++			break;
++
+ 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
+ 		info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
+ 
+@@ -222,6 +225,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_PROFILE:
++			if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile))
++				break;
++
+ 			controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11);
+ 			msgnum = CAPIMSG_MSGID(skb->data);
+ 
+@@ -242,17 +248,26 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_MANUFACTURER:
++			if (skb->len < CAPI_MSG_BASELEN + 15)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10);
+ 
+ 			if (!info && ctrl) {
++				int len = min_t(uint, CAPI_MANUFACTURER_LEN,
++						skb->data[CAPI_MSG_BASELEN + 14]);
++
++				memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
+ 				strncpy(ctrl->manu,
+-					skb->data + CAPI_MSG_BASELEN + 15,
+-					skb->data[CAPI_MSG_BASELEN + 14]);
++					skb->data + CAPI_MSG_BASELEN + 15, len);
+ 			}
+ 
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_VERSION:
++			if (skb->len < CAPI_MSG_BASELEN + 32)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
+ 
+ 			if (!info && ctrl) {
+@@ -265,13 +280,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 			break;
+ 
+ 		case CAPI_FUNCTION_GET_SERIAL_NUMBER:
++			if (skb->len < CAPI_MSG_BASELEN + 17)
++				break;
++
+ 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
+ 
+ 			if (!info && ctrl) {
++				int len = min_t(uint, CAPI_SERIAL_LEN,
++						skb->data[CAPI_MSG_BASELEN + 16]);
++
+ 				memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
+ 				strncpy(ctrl->serial,
+-					skb->data + CAPI_MSG_BASELEN + 17,
+-					skb->data[CAPI_MSG_BASELEN + 16]);
++					skb->data + CAPI_MSG_BASELEN + 17, len);
+ 			}
+ 
+ 			break;
+@@ -280,14 +300,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
+ 		break;
+ 
+ 	case CAPI_IND:
++		if (skb->len < CAPI_MSG_BASELEN + 6)
++			break;
++
+ 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
+ 
+ 		if (func == CAPI_FUNCTION_LOOPBACK) {
++			int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
++						skb->data[CAPI_MSG_BASELEN + 5]);
+ 			appl = CAPIMSG_APPID(skb->data);
+ 			msgnum = CAPIMSG_MSGID(skb->data);
+ 			cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func,
+-						skb->data + CAPI_MSG_BASELEN + 6,
+-						skb->data[CAPI_MSG_BASELEN + 5]);
++						skb->data + CAPI_MSG_BASELEN + 6, len);
+ 		}
+ 
+ 		break;
+@@ -305,6 +329,9 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
+ 
+ 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
+ 
++	if (skb->len < CAPI_MSG_BASELEN)
++		return;
++
+ 	if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) {
+ 		cmtp_recv_interopmsg(session, skb);
+ 		return;

Modified: dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6
==============================================================================
--- dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	(original)
+++ dists/sarge-security/kernel-2.4/source/kernel-source-2.4.27-2.4.27/debian/patches/series/2.4.27-10sarge6	Tue Feb 27 08:13:41 2007
@@ -1,2 +1,3 @@
 + 239_mincore-hang.diff
 + 240_smbfs-honor-mount-opts-2.diff
++ 241_bluetooth-capi-size-checks.diff

More information about the Kernel-svn-changes mailing list