| From b7dfb525660c1cb3262e319d6e079136821f3735 Mon Sep 17 00:00:00 2001 |
| From: Anderson Lizardo <anderson.lizardo@openbossa.org> |
| Date: Sun, 6 Jan 2013 18:28:53 -0400 |
| Subject: [PATCH] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() |
| |
| commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream. |
| |
| The length parameter should be sizeof(req->name) - 1 because there is no |
| guarantee that string provided by userspace will contain the trailing |
| '\0'. |
| |
| Can be easily reproduced by manually setting req->name to 128 non-zero |
| bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on |
| input subsystem: |
| |
| $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name |
| AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af |
| |
| ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" |
| field in struct hid_device due to overflow.) |
| |
| Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org> |
| Acked-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| net/bluetooth/hidp/core.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c |
| index 280529ad9274..a01808691565 100644 |
| --- a/net/bluetooth/hidp/core.c |
| +++ b/net/bluetooth/hidp/core.c |
| @@ -790,7 +790,7 @@ static int hidp_setup_hid(struct hidp_session *session, |
| hid->version = req->version; |
| hid->country = req->country; |
| |
| - strncpy(hid->name, req->name, 128); |
| + strncpy(hid->name, req->name, sizeof(req->name) - 1); |
| strncpy(hid->phys, batostr(&src), 64); |
| strncpy(hid->uniq, batostr(&dst), 64); |
| |
| -- |
| 1.8.5.2 |
| |