Marcel Holtmann notified me that my previous fix for CVE-2007-1353
was wrong because of a stupid memcpy() with unchecked length, which
indeed made it worse than the original bug. Next time I'll be more
careful with copy-pasting !
break;
case HCI_FILTER:
- memcpy(&flt, &hci_pi(sk)->filter, len);
+ memcpy(&flt, &hci_pi(sk)->filter, sizeof(flt));
len = MIN(len, sizeof(struct hci_filter));
if (copy_from_user(&flt, optval, len)) {