29 lines
1.1 KiB
Diff
29 lines
1.1 KiB
Diff
|
From: Vasiliy Kulikov <segoon@openwall.com>
|
||
|
Date: Mon, 14 Feb 2011 10:54:31 +0000 (+0300)
|
||
|
Subject: Bluetooth: bnep: fix buffer overflow
|
||
|
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=43629f8f5ea32a998d06d1bb41eefa0e821ff573
|
||
|
|
||
|
Bluetooth: bnep: fix buffer overflow
|
||
|
|
||
|
Struct ca is copied from userspace. It is not checked whether the "device"
|
||
|
field is NULL terminated. This potentially leads to BUG() inside of
|
||
|
alloc_netdev_mqs() and/or information leak by creating a device with a name
|
||
|
made of contents of kernel stack.
|
||
|
|
||
|
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
|
||
|
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
||
|
---
|
||
|
|
||
|
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
|
||
|
index 2862f53..d935da7 100644
|
||
|
--- a/net/bluetooth/bnep/sock.c
|
||
|
+++ b/net/bluetooth/bnep/sock.c
|
||
|
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
|
||
|
sockfd_put(nsock);
|
||
|
return -EBADFD;
|
||
|
}
|
||
|
+ ca.device[sizeof(ca.device)-1] = 0;
|
||
|
|
||
|
err = bnep_add_connection(&ca, nsock);
|
||
|
if (!err) {
|