[Bluez-devel] [PATCH] Unsafe handling of -e option in pand

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [Bluez-devel] [PATCH] Unsafe handling of -e option in pand
@ 2006-02-15  8:05 Charles Majola
  2006-02-15  8:24 ` Marcel Holtmann
  0 siblings, 1 reply; 4+ messages in thread
From: Charles Majola @ 2006-02-15  8:05 UTC (permalink / raw)
  To: bluez-devel

 From this bug report :

https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714

--- bluez-utils/pand/bnep.c	
+++ bluez-utils/pand/bnep.c	
@@ -184,13 +184,13 @@
 {
 	struct bnep_connadd_req req;
 
-	strcpy(req.device, dev);
+	strncpy(req.device, dev, 16);
 	req.sock = sk;
 	req.role = role;
 	req.flow_label = 0;     /* 0 == Best Effort QoS */
 	if (ioctl(ctl, bnepconnadd, &req))
 		return -1;
-	strcpy(dev, req.device);
+	strncpy(dev, req.device, 16);
 	return 0;
 }
 

=== modified file 'bluez-utils/pand/main.c'
--- bluez-utils/pand/main.c	
+++ bluez-utils/pand/main.c	
@@ -182,6 +182,8 @@
 	while (!terminate) {
 		socklen_t alen = sizeof(l2a);
 		int nsk;
+                char this_netdev[16];
+                
 		nsk = accept(sk, (struct sockaddr *) &l2a, &alen);
 		if (nsk < 0) {
 			syslog(LOG_ERR, "Accept failed. %s(%d)", strerror(errno), errno);
@@ -197,14 +199,14 @@
 			close(nsk);
 			continue;
 		}
-
-		if (!bnep_accept_connection(nsk, role, netdev)) {
+                strncpy(this_netdev, netdev, 16);
+		if (!bnep_accept_connection(nsk, role, this_netdev)) {
 			char str[40];
 			ba2str(&l2a.l2_bdaddr, str);
 
 			syslog(LOG_INFO, "New connection from %s %s", str, netdev);
 
-			run_devup(netdev, str, sk, nsk);
+			run_devup(this_netdev, str, sk, nsk);
 		} else {
 			syslog(LOG_ERR, "Connection failed. %s(%d)",
 					strerror(errno), errno);
@@ -608,7 +610,7 @@
 			break;
 
 		case 'e':
-			strcpy(netdev, optarg);
+			strncpy(netdev, optarg, 16);
 			break;
 
 		case 'n':



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand
  2006-02-15  8:05 [Bluez-devel] [PATCH] Unsafe handling of -e option in pand Charles Majola
@ 2006-02-15  8:24 ` Marcel Holtmann
  2006-02-15  9:33   ` Charles Majola
  0 siblings, 1 reply; 4+ messages in thread
From: Marcel Holtmann @ 2006-02-15  8:24 UTC (permalink / raw)
  To: bluez-devel

Hi Charles,

>  From this bug report :
> 
> https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714

I actually reworked the complete patch. The variable names and the
coding style was not acceptable. We use tabs instead of whitespaces.

And of course strncpy doesn't include the \0 character, so you need to
take care of this too. However a patch for it is in the CVS now.

Regards

Marcel




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand
  2006-02-15  8:24 ` Marcel Holtmann
@ 2006-02-15  9:33   ` Charles Majola
  2006-02-15 10:02     ` Marcel Holtmann
  0 siblings, 1 reply; 4+ messages in thread
From: Charles Majola @ 2006-02-15  9:33 UTC (permalink / raw)
  To: bluez-devel

Hi again,

While we at that, there is another possible vuln...

http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded

Tested in Ubuntu bluez-utils-2.24 and 2.20

Any fix ideas?

--
charles

Marcel Holtmann wrote:

>Hi Charles,
>
>  
>
>> From this bug report :
>>
>>https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714
>>    
>>
>
>I actually reworked the complete patch. The variable names and the
>coding style was not acceptable. We use tabs instead of whitespaces.
>
>And of course strncpy doesn't include the \0 character, so you need to
>take care of this too. However a patch for it is in the CVS now.
>
>Regards
>
>Marcel
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems?  Stop!  Download the new AJAX search engine that makes
>searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>_______________________________________________
>Bluez-devel mailing list
>Bluez-devel@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bluez-devel
>
>  
>


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand
  2006-02-15  9:33   ` Charles Majola
@ 2006-02-15 10:02     ` Marcel Holtmann
  0 siblings, 0 replies; 4+ messages in thread
From: Marcel Holtmann @ 2006-02-15 10:02 UTC (permalink / raw)
  To: bluez-devel

Hi Charles,

> While we at that, there is another possible vuln...
> 
> http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded
> 
> Tested in Ubuntu bluez-utils-2.24 and 2.20
> 
> Any fix ideas?

it is already fixed in the CVS, but don't get me started on this one
again. However to remind people. The hcidump tool is a development tool
and not for daily use in any production system. Non of the parsers are
bullet proof and actually never will be. The Bluetooth code inside the
Linux kernel however is robust against these kind of attacks.

Regards

Marcel




-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-02-15 10:02 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-15  8:05 [Bluez-devel] [PATCH] Unsafe handling of -e option in pand Charles Majola
2006-02-15  8:24 ` Marcel Holtmann
2006-02-15  9:33   ` Charles Majola
2006-02-15 10:02     ` Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).