Commit 9ad2de43 authored by Mathias Krause's avatar Mathias Krause Committed by David S. Miller
Browse files

Bluetooth: RFCOMM - Fix info leak in getsockopt(BT_SECURITY)

The RFCOMM code fails to initialize the key_size member of struct
bt_security before copying it to userland -- that for leaking one
byte kernel stack. Initialize key_size with 0 to avoid the info
Signed-off-by: default avatarMathias Krause <>
Cc: Marcel Holtmann <>
Cc: Gustavo Padovan <>
Cc: Johan Hedberg <>
Signed-off-by: default avatarDavid S. Miller <>
parent 3f68ba07
......@@ -822,6 +822,7 @@ static int rfcomm_sock_getsockopt(struct socket *sock, int level, int optname, c
sec.level = rfcomm_pi(sk)->sec_level;
sec.key_size = 0;
len = min_t(unsigned int, len, sizeof(sec));
if (copy_to_user(optval, (char *) &sec, len))
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment