summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 13:54:31 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-04-14 16:53:33 -0700
commite826581a58ce64a98332b840354f4f18348a71c7 (patch)
tree528e1b52403abaa5ea62a02e15a37d5bf554ee17
parenta04a632411960cb96d5b9defa571eb8128999f11 (diff)
downloadlwn-e826581a58ce64a98332b840354f4f18348a71c7.tar.gz
lwn-e826581a58ce64a98332b840354f4f18348a71c7.zip
Bluetooth: bnep: fix buffer overflow
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--net/bluetooth/bnep/sock.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index e857628b0b27..efc85dc9d8c3 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {