Skip to content

Commit

Permalink
Bluetooth: bnep: fix buffer overflow
Browse files Browse the repository at this point in the history 
Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
  • Loading branch information
Vasiliy Kulikov authored and Gustavo F. Padovan committed Feb 14, 2011
1 parent d9f51b5 commit 43629f8
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/bluetooth/bnep/sock.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
ca.device[sizeof(ca.device)-1] = 0;

err = bnep_add_connection(&ca, nsock);
if (!err) {
Expand Down

0 comments on commit 43629f8

Please sign in to comment.