Looks like there is an issue with over-filling a cavity (buffer) in the Linux Bluetooth stack's cmtp_recv_interopmsg() function.  At the very least, it's a DoS condition, but it might be possible to leverage into running code using malformed CAPI messages with oversized (1) manu (manufacturer) or (2) serial (serial number) fields.  The issue exists in Linux kernels before 2.4.33.5 and in 2.6.x up to 2.6.19.1.  More information can be found here.