Bluetooth: hidp: fix information leak to userland Structure hidp_conninfo is copied to userland with version, product, vendor and name fields unitialized if both session->input and session->hid are NULL. It leads to leaking of contents of kernel stack memory. Signed-off-by: Vasiliy Kulikov <segooon@gmail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>

commit: d31dbf6e5989b2fd9a30ec5b25436e94f009d6df [log] [tgz]
author: Vasiliy Kulikov <segooon@gmail.com> Sat Oct 30 18:26:31 2010 +0400
committer: Gustavo F. Padovan <padovan@profusion.mobi> Wed Dec 01 21:04:36 2010 -0200
tree: 5a7ad10f10b50e5b4c2f514d86b94311d17c4450
parent: 3185fbd9d7bb166992f072440b3329f58bf2c60a [diff]
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index c0ee8b3..29544c2 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c

@@ -107,6 +107,7 @@
 
 static void __hidp_copy_session(struct hidp_session *session, struct hidp_conninfo *ci)
 {
+	memset(ci, 0, sizeof(*ci));
 	bacpy(&ci->bdaddr, &session->bdaddr);
 
 	ci->flags = session->flags;
@@ -115,7 +116,6 @@
 	ci->vendor  = 0x0000;
 	ci->product = 0x0000;
 	ci->version = 0x0000;
-	memset(ci->name, 0, 128);
 
 	if (session->input) {
 		ci->vendor  = session->input->id.vendor;
commit	d31dbf6e5989b2fd9a30ec5b25436e94f009d6df	[log] [tgz]
author	Vasiliy Kulikov <segooon@gmail.com>	Sat Oct 30 18:26:31 2010 +0400
committer	Gustavo F. Padovan <padovan@profusion.mobi>	Wed Dec 01 21:04:36 2010 -0200
tree	5a7ad10f10b50e5b4c2f514d86b94311d17c4450
parent	3185fbd9d7bb166992f072440b3329f58bf2c60a [diff]