summaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-02-14 13:54:31 +0300
committerGreg Kroah-Hartman <gregkh@suse.de>2011-04-14 16:53:02 -0700
commit914b365dbf1500f9c6c058eadd1bbb9fad534a76 (patch)
tree7a1ed88d9406da17ff351f12432ffb9c895a5814 /net
parent9dc744817dd4c3c52b714a7eea73a8aeba18d1fd (diff)
Bluetooth: bnep: fix buffer overflow
commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream. Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/bluetooth/bnep/sock.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2ff6ac7b2ed4..7e08ce71d87e 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;
err = bnep_add_connection(&ca, nsock);
if (!err) {