Commit 8c9a51a4 authored by Luiz Augusto von Dentz's avatar Luiz Augusto von Dentz Committed by Zheng Zengkai
Browse files

Bluetooth: L2CAP: Fix attempting to access uninitialized memory 

stable inclusion
from stable-v5.10.154
commit 26ca2ac091b49281d73df86111d16e5a76e43bd7
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5ZNRS
CVE: CVE-2022-42895

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=26ca2ac091b49281d73df86111d16e5a76e43bd7



--------------------------------

commit b1a2cd50 upstream.

On l2cap_parse_conf_req the variable efs is only initialized if
remote_efs has been set.

CVE: CVE-2022-42895
CC: stable@vger.kernel.org
Reported-by: default avatarTamás Koczka <poprdi@google.com>
Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Reviewed-by: default avatarTedd Ho-Jeong An <tedd.an@intel.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarBaisong Zhong <zhongbaisong@huawei.com>
Reviewed-by: default avatarLiu Jian <liujian56@huawei.com>
Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Reviewed-by: default avatarWang Weiyang <wangweiyang2@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 3a3e097a

net/bluetooth/l2cap_core.c

+2 −1
Original line number Diff line number Diff line
@@ -3758,7 +3758,8 @@ static int l2cap_parse_conf_req(struct l2cap_chan *chan, void *data, size_t data 
			l2cap_add_conf_opt(&ptr, L2CAP_CONF_RFC,

					   sizeof(rfc), (unsigned long) &rfc, endptr - ptr);



			if (test_bit(FLAG_EFS_ENABLE, &chan->flags)) {

			if (remote_efs &&

			    test_bit(FLAG_EFS_ENABLE, &chan->flags)) {

				chan->remote_id = efs.id;

				chan->remote_stype = efs.stype;

				chan->remote_msdu = le16_to_cpu(efs.msdu);