Bluetooth: Properly check L2CAP config option output buffer length
commit
e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.2:
- Drop changes to handling of L2CAP_CONF_EFS, L2CAP_CONF_EWS
- Drop changes to l2cap_do_create(), l2cap_security_cfm(), and L2CAP_CONF_PENDING
case in l2cap_config_rsp()
- In l2cap_config_rsp(), s/buf/req/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
git.openpandora.org / pandora-kernel.git / commit