Bluetooth: bnep: fix buffer overflow

commit 43629f8f upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Bluetooth: bnep: fix buffer overflow
commit 43629f8f upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
e826581a · Vasiliy Kulikov · Greg Kroah-Hartman · a04a6324 · e826581a
Commit e826581a authored Feb 14, 2011 by Vasiliy Kulikov Committed by Greg Kroah-Hartman Apr 14, 2011
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

net/bluetooth/bnep/sock.c net/bluetooth/bnep/sock.c +1 -0

No files found.
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;

 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {