| Message ID | tencent_FE3C6F369E968237444B7E74BD7625670A09@qq.com (mailing list archive) |
|---|---|
| State | Rejected |
| Headers | show |
| Series | Bluetooth: fix oob in rfcomm_sock_setsockopt | expand |
| Context | Check | Description |
|---|---|---|
| tedd_an/pre-ci_am | fail | error: patch failed: net/bluetooth/rfcomm/sock.c:629 error: net/bluetooth/rfcomm/sock.c: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch |
Hi Edward, On Tue, Apr 9, 2024 at 9:36 AM Edward Adam Davis <eadavis@qq.com> wrote: > > If optlen < sizeof(u32) it will trigger oob, so take the min of them. > > Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com > Signed-off-by: Edward Adam Davis <eadavis@qq.com> > --- > net/bluetooth/rfcomm/sock.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c > index b54e8a530f55..42c55c756b51 100644 > --- a/net/bluetooth/rfcomm/sock.c > +++ b/net/bluetooth/rfcomm/sock.c > @@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, > > switch (optname) { > case RFCOMM_LM: > - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { > + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) { > err = -EFAULT; > break; > } > -- > 2.43.0 This has been dealt with already: https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=ee77912bc0bbd78fceb785a81cc9108fa954982f
This is an automated email and please do not reply to this email. Dear Submitter, Thank you for submitting the patches to the linux bluetooth mailing list. While preparing the CI tests, the patches you submitted couldn't be applied to the current HEAD of the repository. ----- Output ----- error: patch failed: net/bluetooth/rfcomm/sock.c:629 error: net/bluetooth/rfcomm/sock.c: patch does not apply hint: Use 'git am --show-current-patch' to see the failed patch Please resolve the issue and submit the patches again. --- Regards, Linux Bluetooth
diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index b54e8a530f55..42c55c756b51 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -629,7 +629,7 @@ static int rfcomm_sock_setsockopt_old(struct socket *sock, int optname, switch (optname) { case RFCOMM_LM: - if (copy_from_sockptr(&opt, optval, sizeof(u32))) { + if (copy_from_sockptr(&opt, optval, min_t(int, sizeof(u32), optlen))) { err = -EFAULT; break; }
If optlen < sizeof(u32) it will trigger oob, so take the min of them. Reported-by: syzbot+d4ecae01a53fd9b42e7d@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> --- net/bluetooth/rfcomm/sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)