This is a note to let you know that I've just added the patch titled
Bluetooth: Fix using uninitialized option in RFCMode
to the 3.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bluetooth-fix-using-uninitialized-option-in-rfcmode.patch
and it can be found in the queue-3.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.
>From 8f321f853ea33330c7141977cd34804476e2e07e Mon Sep 17 00:00:00 2001
From: Szymon Janc <[email protected]>
Date: Fri, 8 Jun 2012 11:33:33 +0200
Subject: Bluetooth: Fix using uninitialized option in RFCMode
From: Szymon Janc <[email protected]>
commit 8f321f853ea33330c7141977cd34804476e2e07e upstream.
If remote device sends bogus RFC option with invalid length,
undefined options values are used. Fix this by using defaults when
remote misbehaves.
This also fixes the following warning reported by gcc 4.7.0:
net/bluetooth/l2cap_core.c: In function 'l2cap_config_rsp':
net/bluetooth/l2cap_core.c:3302:13: warning: 'rfc.max_pdu_size' may be used
uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.max_pdu_size' was declared here
net/bluetooth/l2cap_core.c:3298:25: warning: 'rfc.monitor_timeout' may be used
uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.monitor_timeout' was declared
here
net/bluetooth/l2cap_core.c:3297:25: warning: 'rfc.retrans_timeout' may be used
uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.retrans_timeout' was declared
here
net/bluetooth/l2cap_core.c:3295:2: warning: 'rfc.mode' may be used
uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.mode' was declared here
Signed-off-by: Szymon Janc <[email protected]>
Signed-off-by: Gustavo Padovan <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/bluetooth/l2cap_core.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -2585,12 +2585,14 @@ static void l2cap_conf_rfc_get(struct l2
while (len >= L2CAP_CONF_OPT_SIZE) {
len -= l2cap_get_conf_opt(&rsp, &type, &olen, &val);
- switch (type) {
- case L2CAP_CONF_RFC:
- if (olen == sizeof(rfc))
- memcpy(&rfc, (void *)val, olen);
- goto done;
- }
+ if (type != L2CAP_CONF_RFC)
+ continue;
+
+ if (olen != sizeof(rfc))
+ break;
+
+ memcpy(&rfc, (void *)val, olen);
+ goto done;
}
/* Use sane default values in case a misbehaving remote device
Patches currently in stable-queue which might be from [email protected] are
queue-3.4/bluetooth-fix-using-uninitialized-option-in-rfcmode.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
