2011-02-14 10:54:31

by Vasily Kulikov

[permalink] [raw]
Subject: [PATCH] bluetooth: bnep: fix buffer overflow

Struct ca is copied from userspace. It is not checked whether the "device"
field is NULL terminated. This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <[email protected]>
---
Compile tested.

net/bluetooth/bnep/sock.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 2862f53..30faaf1 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
sockfd_put(nsock);
return -EBADFD;
}
+ ca.device[sizeof(ca.device)-1] = 0;

err = bnep_add_connection(&ca, nsock);
if (!err) {
--
1.7.0.4


2011-02-14 14:35:32

by Gustavo Padovan

[permalink] [raw]
Subject: Re: [PATCH] bluetooth: bnep: fix buffer overflow

Hi Vasiliy,

* Vasiliy Kulikov <[email protected]> [2011-02-14 13:54:31 +0300]:

> Struct ca is copied from userspace. It is not checked whether the "device"
> field is NULL terminated. This potentially leads to BUG() inside of
> alloc_netdev_mqs() and/or information leak by creating a device with a name
> made of contents of kernel stack.
>
> Signed-off-by: Vasiliy Kulikov <[email protected]>
> ---
> Compile tested.
>
> net/bluetooth/bnep/sock.c | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)

Applied, thanks.

--
Gustavo F. Padovan
http://profusion.mobi