Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)

With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>

Bluetooth: Add packet size checks for CAPI messages (CVE-2006-6106)
With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de>
044a3e96 · Marcel Holtmann · Adrian Bunk · d9be4281 · 044a3e96
Commit 044a3e96 authored Jan 04, 2007 by Marcel Holtmann Committed by Adrian Bunk Jan 09, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 6 deletions

net/bluetooth/cmtp/capi.c net/bluetooth/cmtp/capi.c +33 -6

No files found.
--- a/net/bluetooth/cmtp/capi.c
+++ b/net/bluetooth/cmtp/capi.c
@@ -199,6 +199,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
 	switch (CAPIMSG_SUBCOMMAND(skb->data)) {
 	case CAPI_CONF:
+		if (skb->len < CAPI_MSG_BASELEN + 10)
+			break;
 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5);
 		info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8);
@@ -229,6 +232,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
 			break;
 		case CAPI_FUNCTION_GET_PROFILE:
+			if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile))
+				break;
 			controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11);
 			msgnum = CAPIMSG_MSGID(skb->data);
@@ -249,17 +255,26 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
 			break;
 		case CAPI_FUNCTION_GET_MANUFACTURER:
+			if (skb->len < CAPI_MSG_BASELEN + 15)
+				break;
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10);
 			if (!info && ctrl) {
+				int len = min_t(uint, CAPI_MANUFACTURER_LEN,
+						skb->data[CAPI_MSG_BASELEN + 14]);
+				memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN);
 				strncpy(ctrl->manu,
-					skb->data + CAPI_MSG_BASELEN + 15,
+					skb->data + CAPI_MSG_BASELEN + 15, len);
-					skb->data[CAPI_MSG_BASELEN + 14]);
 			}
 			break;
 		case CAPI_FUNCTION_GET_VERSION:
+			if (skb->len < CAPI_MSG_BASELEN + 32)
+				break;
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
 			if (!info && ctrl) {
@@ -272,13 +287,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
 			break;
 		case CAPI_FUNCTION_GET_SERIAL_NUMBER:
+			if (skb->len < CAPI_MSG_BASELEN + 17)
+				break;
 			controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12);
 			if (!info && ctrl) {
+				int len = min_t(uint, CAPI_SERIAL_LEN,
+						skb->data[CAPI_MSG_BASELEN + 16]);
 				memset(ctrl->serial, 0, CAPI_SERIAL_LEN);
 				strncpy(ctrl->serial,
-					skb->data + CAPI_MSG_BASELEN + 17,
+					skb->data + CAPI_MSG_BASELEN + 17, len);
-					skb->data[CAPI_MSG_BASELEN + 16]);
 			}
 			break;
@@ -287,14 +307,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s
 		break;
 	case CAPI_IND:
+		if (skb->len < CAPI_MSG_BASELEN + 6)
+			break;
 		func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3);
 		if (func == CAPI_FUNCTION_LOOPBACK) {
+			int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6,
+						skb->data[CAPI_MSG_BASELEN + 5]);
 			appl = CAPIMSG_APPID(skb->data);
 			msgnum = CAPIMSG_MSGID(skb->data);
 			cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func,
-						skb->data + CAPI_MSG_BASELEN + 6,
+						skb->data + CAPI_MSG_BASELEN + 6, len);
-						skb->data[CAPI_MSG_BASELEN + 5]);
 		}
 		break;
@@ -312,6 +336,9 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb)
 	BT_DBG("session %p skb %p len %d", session, skb, skb->len);
+	if (skb->len < CAPI_MSG_BASELEN)
+		return;
 	if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) {
 		cmtp_recv_interopmsg(session, skb);
 		return;