Bluetooth: hidp: fix buffer overflow

Struct ca is copied from userspace. It is not checked whether the "name" field is NULL terminated, which allows local users to obtain potentially sensitive information from kernel stack memory, via a HIDPCONNADD command. This vulnerability is similar to CVE-2011-1079. Signed-off-by: Young Xiao <YangX92@hotmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Cc: stable@vger.kernel.org
author: Young Xiao <YangX92@hotmail.com> 2019-04-12 15:24:30 +0800
committer: Marcel Holtmann <marcel@holtmann.org> 2019-04-23 19:04:38 +0200
commit: a1616a5ac99ede5d605047a9012481ce7ff18b16 (patch)
tree: c330e3f1724257262c97a58e772e119003738154 /net/bluetooth/hidp
parent: Bluetooth: btmrvl: add support for SD8987 chipset (diff)
download: linux-dev-a1616a5ac99ede5d605047a9012481ce7ff18b16.tar.xz
linux-dev-a1616a5ac99ede5d605047a9012481ce7ff18b16.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 9f85a1943be9..2151913892ce 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user
 			sockfd_put(csock);
 			return err;
 		}
+		ca.name[sizeof(ca.name)-1] = 0;
 
 		err = hidp_connection_add(&ca, csock, isock);
 		if (!err && copy_to_user(argp, &ca, sizeof(ca)))
author	Young Xiao <YangX92@hotmail.com>	2019-04-12 15:24:30 +0800
committer	Marcel Holtmann <marcel@holtmann.org>	2019-04-23 19:04:38 +0200
commit	a1616a5ac99ede5d605047a9012481ce7ff18b16 (patch)
tree	c330e3f1724257262c97a58e772e119003738154 /net/bluetooth/hidp
parent	Bluetooth: btmrvl: add support for SD8987 chipset (diff)
download	linux-dev-a1616a5ac99ede5d605047a9012481ce7ff18b16.tar.xz linux-dev-a1616a5ac99ede5d605047a9012481ce7ff18b16.zip