| From 0a9ab9bdb3e891762553f667066190c1d22ad62b Mon Sep 17 00:00:00 2001 |
| From: Anderson Lizardo <anderson.lizardo@openbossa.org> |
| Date: Sun, 6 Jan 2013 18:28:53 -0400 |
| Subject: Bluetooth: Fix incorrect strncpy() in hidp_setup_hid() |
| |
| From: Anderson Lizardo <anderson.lizardo@openbossa.org> |
| |
| commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream. |
| |
| The length parameter should be sizeof(req->name) - 1 because there is no |
| guarantee that string provided by userspace will contain the trailing |
| '\0'. |
| |
| Can be easily reproduced by manually setting req->name to 128 non-zero |
| bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on |
| input subsystem: |
| |
| $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name |
| AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af |
| |
| ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" |
| field in struct hid_device due to overflow.) |
| |
| Signed-off-by: Anderson Lizardo <anderson.lizardo@openbossa.org> |
| Acked-by: Marcel Holtmann <marcel@holtmann.org> |
| Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/bluetooth/hidp/core.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/bluetooth/hidp/core.c |
| +++ b/net/bluetooth/hidp/core.c |
| @@ -931,7 +931,7 @@ static int hidp_setup_hid(struct hidp_se |
| hid->version = req->version; |
| hid->country = req->country; |
| |
| - strncpy(hid->name, req->name, 128); |
| + strncpy(hid->name, req->name, sizeof(req->name) - 1); |
| strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64); |
| strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64); |
| |