Skip to content

Commit

Permalink
Bluetooth: RFCOMM - Fix info leak in ioctl(RFCOMMGETDEVLIST)
Browse files Browse the repository at this point in the history 
The RFCOMM code fails to initialize the two padding bytes of struct
rfcomm_dev_list_req inserted for alignment before copying it to
userland. Additionally there are two padding bytes in each instance of
struct rfcomm_dev_info. The ioctl() that for disclosures two bytes plus
dev_num times two bytes uninitialized kernel heap memory.

Allocate the memory using kzalloc() to fix this issue.

Signed-off-by: Mathias Krause <[email protected]>
Cc: Marcel Holtmann <[email protected]>
Cc: Gustavo Padovan <[email protected]>
Cc: Johan Hedberg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@minipli @davem330
minipli authored and davem330 committed Aug 16, 2012
1 parent 9ad2de4 commit f9432c5
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/bluetooth/rfcomm/tty.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -456,7 +456,7 @@ static int rfcomm_get_dev_list(void __user *arg)

size = sizeof(*dl) + dev_num * sizeof(*di);

dl = kmalloc(size, GFP_KERNEL);
dl = kzalloc(size, GFP_KERNEL);
if (!dl)
return -ENOMEM;

Expand Down

0 comments on commit f9432c5

Please sign in to comment.