[kernel/f14] CVE-2011-2497: bluetooth: buffer overflow in l2cap config request

[Chuck Ebbert]

commit f77745ccf7adc0187e48815e4414c526a71fe9eb
Author: Chuck Ebbert <cebbert at redhat.com>
Date:   Mon Aug 15 23:08:05 2011 -0400

    CVE-2011-2497: bluetooth: buffer overflow in l2cap config request

 ...t-buffer-overflow-in-l2cap-config-request.patch |   32 ++++++++++++++++++++
 kernel.spec                                        |    5 +++
 2 files changed, 37 insertions(+), 0 deletions(-)
---
diff --git a/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch b/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
new file mode 100644
index 0000000..e861b72
--- /dev/null
+++ b/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
@@ -0,0 +1,32 @@
+From: Dan Rosenberg <drosenberg at vsecurity.com>
+Date: Fri, 24 Jun 2011 12:38:05 +0000 (-0400)
+Subject: Bluetooth: Prevent buffer overflow in l2cap config request
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Fpadovan%2Fbluetooth-2.6.git;a=commitdiff_plain;h=7ac28817536797fd40e9646452183606f9e17f71
+
+Bluetooth: Prevent buffer overflow in l2cap config request
+[ backport to 2.6.35 ]
+
+A remote user can provide a small value for the command size field in
+the command header of an l2cap configuration request, resulting in an
+integer underflow when subtracting the size of the configuration request
+header.  This results in copying a very large amount of data via
+memcpy() and destroying the kernel heap.  Check for underflow.
+
+Signed-off-by: Dan Rosenberg <drosenberg at vsecurity.com>
+Cc: stable <stable at kernel.org>
+Signed-off-by: Gustavo F. Padovan <padovan at profusion.mobi>
+---
+
+diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
+index 56fdd91..7d8a66b 100644
+--- a/net/bluetooth/l2cap.c
++++ b/net/bluetooth/l2cap.c
+@@ -2962,7 +2962,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, struct l2cap_cmd_hdr
+ 
+ 	/* Reject if config buffer is too small. */
+ 	len = cmd_len - sizeof(*req);
+-	if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
++	if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) {
+ 		l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP,
+ 				l2cap_build_conf_rsp(sk, rsp,
+ 					L2CAP_CONF_REJECT, flags), rsp);
diff --git a/kernel.spec b/kernel.spec
index b759b85..ec6671f 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -840,6 +840,8 @@ Patch14002: iwlwifi-add_ack_plpc_check-module-parameters.patch
 Patch14010: perf-tools-do-not-look-at-config-for-configuration.patch
 # CVE-2011-2695
 Patch14011: ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
+# CVE-2011-2497
+Patch14012: bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
 
 %endif
 
@@ -1580,6 +1582,8 @@ ApplyPatch iwlagn-use-cts-to-self-protection-on-5000-adapters-series.patch
 ApplyPatch perf-tools-do-not-look-at-config-for-configuration.patch
 # CVE-2011-2695
 ApplyPatch ext4-fix-max-file-size-and-logical-block-counting-of-extent-format-file.patch
+# CVE-2011-2497
+ApplyPatch bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2170,6 +2174,7 @@ fi
 * Mon Aug 15 2011 Chuck Ebbert <cebbert at redhat.com>
 - CVE-2011-2905: perf tools: may parse user-controlled configuration file
 - CVE-2011-2695: ext4: kernel panic when writing data to the last block of sparse file
+- CVE-2011-2497: bluetooth: buffer overflow in l2cap config request
 
 * Wed Aug 03 2011 Chuck Ebbert <cebbert at redhat.com> 2.6.35.14-94
 - Linux 2.6.35.14