* [Bluez-devel] [PATCH] Unsafe handling of -e option in pand
@ 2006-02-15 8:05 Charles Majola
2006-02-15 8:24 ` Marcel Holtmann
0 siblings, 1 reply; 4+ messages in thread
From: Charles Majola @ 2006-02-15 8:05 UTC (permalink / raw)
To: bluez-devel
From this bug report :
https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714
--- bluez-utils/pand/bnep.c
+++ bluez-utils/pand/bnep.c
@@ -184,13 +184,13 @@
{
struct bnep_connadd_req req;
- strcpy(req.device, dev);
+ strncpy(req.device, dev, 16);
req.sock = sk;
req.role = role;
req.flow_label = 0; /* 0 == Best Effort QoS */
if (ioctl(ctl, bnepconnadd, &req))
return -1;
- strcpy(dev, req.device);
+ strncpy(dev, req.device, 16);
return 0;
}
=== modified file 'bluez-utils/pand/main.c'
--- bluez-utils/pand/main.c
+++ bluez-utils/pand/main.c
@@ -182,6 +182,8 @@
while (!terminate) {
socklen_t alen = sizeof(l2a);
int nsk;
+ char this_netdev[16];
+
nsk = accept(sk, (struct sockaddr *) &l2a, &alen);
if (nsk < 0) {
syslog(LOG_ERR, "Accept failed. %s(%d)", strerror(errno), errno);
@@ -197,14 +199,14 @@
close(nsk);
continue;
}
-
- if (!bnep_accept_connection(nsk, role, netdev)) {
+ strncpy(this_netdev, netdev, 16);
+ if (!bnep_accept_connection(nsk, role, this_netdev)) {
char str[40];
ba2str(&l2a.l2_bdaddr, str);
syslog(LOG_INFO, "New connection from %s %s", str, netdev);
- run_devup(netdev, str, sk, nsk);
+ run_devup(this_netdev, str, sk, nsk);
} else {
syslog(LOG_ERR, "Connection failed. %s(%d)",
strerror(errno), errno);
@@ -608,7 +610,7 @@
break;
case 'e':
- strcpy(netdev, optarg);
+ strncpy(netdev, optarg, 16);
break;
case 'n':
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand 2006-02-15 8:05 [Bluez-devel] [PATCH] Unsafe handling of -e option in pand Charles Majola @ 2006-02-15 8:24 ` Marcel Holtmann 2006-02-15 9:33 ` Charles Majola 0 siblings, 1 reply; 4+ messages in thread From: Marcel Holtmann @ 2006-02-15 8:24 UTC (permalink / raw) To: bluez-devel Hi Charles, > From this bug report : > > https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714 I actually reworked the complete patch. The variable names and the coding style was not acceptable. We use tabs instead of whitespaces. And of course strncpy doesn't include the \0 character, so you need to take care of this too. However a patch for it is in the CVS now. Regards Marcel ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Bluez-devel mailing list Bluez-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bluez-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand 2006-02-15 8:24 ` Marcel Holtmann @ 2006-02-15 9:33 ` Charles Majola 2006-02-15 10:02 ` Marcel Holtmann 0 siblings, 1 reply; 4+ messages in thread From: Charles Majola @ 2006-02-15 9:33 UTC (permalink / raw) To: bluez-devel Hi again, While we at that, there is another possible vuln... http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded Tested in Ubuntu bluez-utils-2.24 and 2.20 Any fix ideas? -- charles Marcel Holtmann wrote: >Hi Charles, > > > >> From this bug report : >> >>https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714 >> >> > >I actually reworked the complete patch. The variable names and the >coding style was not acceptable. We use tabs instead of whitespaces. > >And of course strncpy doesn't include the \0 character, so you need to >take care of this too. However a patch for it is in the CVS now. > >Regards > >Marcel > > > > >------------------------------------------------------- >This SF.net email is sponsored by: Splunk Inc. Do you grep through log files >for problems? Stop! Download the new AJAX search engine that makes >searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 >_______________________________________________ >Bluez-devel mailing list >Bluez-devel@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/bluez-devel > > > ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Bluez-devel mailing list Bluez-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bluez-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Bluez-devel] [PATCH] Unsafe handling of -e option in pand 2006-02-15 9:33 ` Charles Majola @ 2006-02-15 10:02 ` Marcel Holtmann 0 siblings, 0 replies; 4+ messages in thread From: Marcel Holtmann @ 2006-02-15 10:02 UTC (permalink / raw) To: bluez-devel Hi Charles, > While we at that, there is another possible vuln... > > http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded > > Tested in Ubuntu bluez-utils-2.24 and 2.20 > > Any fix ideas? it is already fixed in the CVS, but don't get me started on this one again. However to remind people. The hcidump tool is a development tool and not for daily use in any production system. Non of the parsers are bullet proof and actually never will be. The Bluetooth code inside the Linux kernel however is robust against these kind of attacks. Regards Marcel ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Bluez-devel mailing list Bluez-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bluez-devel ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2006-02-15 10:02 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-02-15 8:05 [Bluez-devel] [PATCH] Unsafe handling of -e option in pand Charles Majola 2006-02-15 8:24 ` Marcel Holtmann 2006-02-15 9:33 ` Charles Majola 2006-02-15 10:02 ` Marcel Holtmann
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).