summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 13:54:31 +0300
committerPaul Gortmaker <paul.gortmaker@windriver.com>2011-06-26 12:47:20 -0400
commit26b6a59e8b70435996c86f705dfb7f66124f5b1e (patch)
tree95e9335b3fb3e8171a388bbb69fa0634b80748a7
parentf8107dd119c9fd62aa0a3d3eb55d67bdd84b8036 (diff)
downloadlinux-stable-26b6a59e8b70435996c86f705dfb7f66124f5b1e.tar.gz
linux-stable-26b6a59e8b70435996c86f705dfb7f66124f5b1e.tar.bz2
linux-stable-26b6a59e8b70435996c86f705dfb7f66124f5b1e.zip
Bluetooth: bnep: fix buffer overflow
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r--net/bluetooth/bnep/sock.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53b66b1..d935da71ab3b 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {