git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
[Bluetooth] Fix L2CAP and HCI setsockopt() information leaks
[pandora-kernel.git]
/
net
/
bluetooth
/
hci_sock.c
diff --git
a/net/bluetooth/hci_sock.c
b/net/bluetooth/hci_sock.c
index
f928d2b
..
bfc9a35
100644
(file)
--- a/
net/bluetooth/hci_sock.c
+++ b/
net/bluetooth/hci_sock.c
@@
-375,7
+375,7
@@
static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock,
copied = len;
}
copied = len;
}
- skb
->h.raw = skb->data
;
+ skb
_reset_transport_header(skb)
;
err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
hci_sock_cmsg(sk, msg, skb);
err = skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied);
hci_sock_cmsg(sk, msg, skb);
@@
-499,6
+499,15
@@
static int hci_sock_setsockopt(struct socket *sock, int level, int optname, char
break;
case HCI_FILTER:
break;
case HCI_FILTER:
+ {
+ struct hci_filter *f = &hci_pi(sk)->filter;
+
+ uf.type_mask = f->type_mask;
+ uf.opcode = f->opcode;
+ uf.event_mask[0] = *((u32 *) f->event_mask + 0);
+ uf.event_mask[1] = *((u32 *) f->event_mask + 1);
+ }
+
len = min_t(unsigned int, len, sizeof(uf));
if (copy_from_user(&uf, optval, len)) {
err = -EFAULT;
len = min_t(unsigned int, len, sizeof(uf));
if (copy_from_user(&uf, optval, len)) {
err = -EFAULT;
@@
-656,7
+665,7
@@
static int hci_sock_dev_event(struct notifier_block *this, unsigned long event,
/* Detach sockets from device */
read_lock(&hci_sk_list.lock);
sk_for_each(sk, node, &hci_sk_list.head) {
/* Detach sockets from device */
read_lock(&hci_sk_list.lock);
sk_for_each(sk, node, &hci_sk_list.head) {
-
bh_
lock_sock(sk);
+ lock_sock(sk);
if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE;
if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE;
@@
-665,7
+674,7
@@
static int hci_sock_dev_event(struct notifier_block *this, unsigned long event,
hci_dev_put(hdev);
}
hci_dev_put(hdev);
}
-
bh_unlock
_sock(sk);
+
release
_sock(sk);
}
read_unlock(&hci_sk_list.lock);
}
}
read_unlock(&hci_sk_list.lock);
}