Mark Salyzyn 7992c18810 Bluetooth: hidp: buffer overflow in hidp_process_report ... CVE-2018-9363 The buffer length is unsigned at all layers, but gets cast to int and checked in hidp_process_report and can lead to a buffer overflow. Switch len parameter to unsigned int to resolve issue. This affects 3.18 and newer kernels. Signed-off-by: Mark Salyzyn <salyzyn@android.com> Fixes: a4b1b5877b ("HID: Bluetooth: hidp: make sure input buffers are big enough") Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Kees Cook <keescook@chromium.org> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com> Cc: linux-bluetooth@vger.kernel.org Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: security@kernel.org Cc: kernel-team@android.com Acked-by: Kees Cook <keescook@chromium.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>		2018-08-01 09:12:35 +02:00
..
core.c	Bluetooth: hidp: buffer overflow in hidp_process_report	2018-08-01 09:12:35 +02:00
hidp.h	HID: Bluetooth: hidp: make sure input buffers are big enough	2014-02-17 21:17:55 +01:00
Kconfig	Bluetooth: Introduce BT_BREDR and BT_LE config options	2014-11-02 10:01:53 +02:00
Makefile	Linux-2.6.12-rc2	2005-04-16 15:20:36 -07:00
sock.c	net: remove sock_no_poll	2018-05-26 09:16:44 +02:00