Bluetooth: bnep: fix buffer overflow

commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Andi Kleen <ak@linux.intel.com>
author: Vasiliy Kulikov <segoon@openwall.com> 2011-02-14 13:54:31 +0300
committer: Andi Kleen <ak@linux.intel.com> 2011-04-28 08:20:55 -0700
commit: 794cf4569083bd3a54bcba5068e2beaea5663f2d (patch)
tree: ca8930f80b9472173739bff8af454883d1c38222 /net
parent: ce0f98ea90a8171cdaf249c0c623b455931d69ec (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53b66b1..d935da71ab3b 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
author	Vasiliy Kulikov <segoon@openwall.com>	2011-02-14 13:54:31 +0300
committer	Andi Kleen <ak@linux.intel.com>	2011-04-28 08:20:55 -0700
commit	794cf4569083bd3a54bcba5068e2beaea5663f2d (patch)
tree	ca8930f80b9472173739bff8af454883d1c38222 /net
parent	ce0f98ea90a8171cdaf249c0c623b455931d69ec (diff)