Bluetooth: hidp: NUL terminate a string in the compat ioctl
This change is similar to commit a1616a5ac9 ("Bluetooth: hidp: fix
buffer overflow") but for the compat ioctl. We take a string from the
user and forgot to ensure that it's NUL terminated.
I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
The difference is the strncpy() doesn't necessarily NUL terminate the
destination string. Either change would fix the problem but it's nice
to take a belt and suspenders approach and do both.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This commit is contained in:
Dan Carpenter
committed by
Marcel Holtmann
Marcel Holtmann
parent
44d34af2e4
commit
dcae9052eb
@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_session *session,
|
|||||||
hid->version = req->version;
|
hid->version = req->version;
|
||||||
hid->country = req->country;
|
hid->country = req->country;
|
||||||
|
|
||||||
strncpy(hid->name, req->name, sizeof(hid->name));
|
strscpy(hid->name, req->name, sizeof(hid->name));
|
||||||
|
|
||||||
snprintf(hid->phys, sizeof(hid->phys), "%pMR",
|
snprintf(hid->phys, sizeof(hid->phys), "%pMR",
|
||||||
&l2cap_pi(session->ctrl_sock->sk)->chan->src);
|
&l2cap_pi(session->ctrl_sock->sk)->chan->src);
|
||||||
|
|||||||
@@ -192,6 +192,7 @@ static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigne
|
|||||||
ca.version = ca32.version;
|
ca.version = ca32.version;
|
||||||
ca.flags = ca32.flags;
|
ca.flags = ca32.flags;
|
||||||
ca.idle_to = ca32.idle_to;
|
ca.idle_to = ca32.idle_to;
|
||||||
|
ca32.name[sizeof(ca32.name) - 1] = '\0';
|
||||||
memcpy(ca.name, ca32.name, 128);
|
memcpy(ca.name, ca32.name, 128);
|
||||||
|
|
||||||
csock = sockfd_lookup(ca.ctrl_sock, &err);
|
csock = sockfd_lookup(ca.ctrl_sock, &err);
|
||||||
|
|||||||
Reference in New Issue
Block a user