Commit 43629f8f authored by Vasiliy Kulikov's avatar Vasiliy Kulikov Committed by Gustavo F. Padovan

Bluetooth: bnep: fix buffer overflow

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.
Signed-off-by: default avatarVasiliy Kulikov <segoon@openwall.com>
Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
parent d9f51b51
...@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long ...@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock); sockfd_put(nsock);
return -EBADFD; return -EBADFD;
} }
ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock); err = bnep_add_connection(&ca, nsock);
if (!err) { if (!err) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment