netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] bluetooth: bnep: fix buffer overflow
@ 2011-02-14 10:54 Vasiliy Kulikov
  2011-02-14 14:35 ` Gustavo F. Padovan
  0 siblings, 1 reply; 2+ messages in thread
From: Vasiliy Kulikov @ 2011-02-14 10:54 UTC (permalink / raw)
  To: linux-kernel-u79uwXL29TY76Z2rM5mHXA
  Cc: security-DgEjT+Ai2ygdnm+yROfE0A, Marcel Holtmann,
	Gustavo F. Padovan, David S. Miller, Tejun Heo,
	linux-bluetooth-u79uwXL29TY76Z2rM5mHXA,
	netdev-u79uwXL29TY76Z2rM5mHXA

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon-cxoSlKxDwOJWk0Htik3J/w@public.gmane.org>
---
 Compile tested.

 net/bluetooth/bnep/sock.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
 			sockfd_put(nsock);
 			return -EBADFD;
 		}
+		ca.device[sizeof(ca.device)-1] = 0;
 
 		err = bnep_add_connection(&ca, nsock);
 		if (!err) {
-- 
1.7.0.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-02-14 14:35 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-02-14 10:54 [PATCH] bluetooth: bnep: fix buffer overflow Vasiliy Kulikov
2011-02-14 14:35 ` Gustavo F. Padovan

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).