vcs.maemo.org Git - kernel-power/blob - kernel-power-2.6.28/debian/patches/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.diff

   1 diff -urN kernel-power-2.6.28/net/bluetooth/l2cap.c kernel-power-2.6.28.new/net/bluetooth/l2cap.c
   2 --- kernel-power-2.6.28/net/bluetooth/l2cap.c   2012-01-30 11:38:54.900397583 -0500
   3 +++ kernel-power-2.6.28.new/net/bluetooth/l2cap.c       2012-01-30 11:41:31.304278952 -0500
   4 @@ -2709,16 +2709,24 @@
   5         struct sock *sk;
   6         struct hlist_node *node;
   7         char *str = buf;
   8 +       int size = PAGE_SIZE;
   9
  10         read_lock_bh(&l2cap_sk_list.lock);
  11
  12         sk_for_each(sk, node, &l2cap_sk_list.head) {
  13                 struct l2cap_pinfo *pi = l2cap_pi(sk);
  14 +               int len;
  15
  16 -               str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
  17 +               len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n",
  18                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
  19                                 sk->sk_state, btohs(pi->psm), pi->scid, pi->dcid,
  20                                 pi->imtu, pi->omtu, pi->sec_level);
  21 +
  22 +               size -= len;
  23 +               if (size <= 0)
  24 +                       break;
  25 +
  26 +               str += len;
  27         }
  28
  29         read_unlock_bh(&l2cap_sk_list.lock);
  30 diff -urN kernel-power-2.6.28/net/bluetooth/rfcomm/core.c kernel-power-2.6.28.new/net/bluetooth/rfcomm/core.c
  31 --- kernel-power-2.6.28/net/bluetooth/rfcomm/core.c     2012-01-30 11:38:45.788742559 -0500
  32 +++ kernel-power-2.6.28.new/net/bluetooth/rfcomm/core.c 2012-01-30 11:41:31.304278952 -0500
  33 @@ -2097,6 +2097,7 @@
  34         struct rfcomm_session *s;
  35         struct list_head *pp, *p;
  36         char *str = buf;
  37 +       int size = PAGE_SIZE;
  38
  39         rfcomm_lock();
  40
  41 @@ -2105,11 +2106,21 @@
  42                 list_for_each(pp, &s->dlcs) {
  43                         struct sock *sk = s->sock->sk;
  44                         struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list);
  45 +                       int len;
  46
  47 -                       str += sprintf(str, "%s %s %ld %d %d %d %d\n",
  48 +                       len = snprintf(str, size, "%s %s %ld %d %d %d %d\n",
  49                                         batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
  50                                         d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits);
  51 +
  52 +                       size -= len;
  53 +                       if (size <= 0)
  54 +                               break;
  55 +
  56 +                       str += len;
  57                 }
  58 +
  59 +               if (size <= 0)
  60 +                       break;
  61         }
  62
  63         rfcomm_unlock();
  64 diff -urN kernel-power-2.6.28/net/bluetooth/rfcomm/sock.c kernel-power-2.6.28.new/net/bluetooth/rfcomm/sock.c
  65 --- kernel-power-2.6.28/net/bluetooth/rfcomm/sock.c     2012-01-30 11:38:44.387786122 -0500
  66 +++ kernel-power-2.6.28.new/net/bluetooth/rfcomm/sock.c 2012-01-30 11:41:31.304278952 -0500
  67 @@ -1065,13 +1065,22 @@
  68         struct sock *sk;
  69         struct hlist_node *node;
  70         char *str = buf;
  71 +       int size = PAGE_SIZE;
  72
  73         read_lock_bh(&rfcomm_sk_list.lock);
  74
  75         sk_for_each(sk, node, &rfcomm_sk_list.head) {
  76 -               str += sprintf(str, "%s %s %d %d\n",
  77 +               int len;
  78 +
  79 +               len = snprintf(str, size, "%s %s %d %d\n",
  80                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
  81                                 sk->sk_state, rfcomm_pi(sk)->channel);
  82 +
  83 +               size -= len;
  84 +               if (size <= 0)
  85 +                       break;
  86 +
  87 +               str += len;
  88         }
  89
  90         read_unlock_bh(&rfcomm_sk_list.lock);
  91 diff -urN kernel-power-2.6.28/net/bluetooth/sco.c kernel-power-2.6.28.new/net/bluetooth/sco.c
  92 --- kernel-power-2.6.28/net/bluetooth/sco.c     2012-01-30 11:38:44.391847398 -0500
  93 +++ kernel-power-2.6.28.new/net/bluetooth/sco.c 2012-01-30 11:41:31.304278952 -0500
  94 @@ -957,13 +957,22 @@
  95         struct sock *sk;
  96         struct hlist_node *node;
  97         char *str = buf;
  98 +       int size = PAGE_SIZE;
  99
 100         read_lock_bh(&sco_sk_list.lock);
 101
 102         sk_for_each(sk, node, &sco_sk_list.head) {
 103 -               str += sprintf(str, "%s %s %d\n",
 104 +               int len;
 105 +
 106 +               len = snprintf(str, size, "%s %s %d\n",
 107                                 batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst),
 108                                 sk->sk_state);
 109 +
 110 +               size -= len;
 111 +               if (size <= 0)
 112 +                       break;
 113 +
 114 +               str += len;
 115         }
 116
 117         read_unlock_bh(&sco_sk_list.lock);