Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Message-ID: <7c90bc97-555f-8dc5-5e27-cfb6cdb0e428@molgen.mpg.de>
Date:   Sat, 28 May 2022 09:38:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.0
Subject: Re: [PATCH-stable v2] Bluetooth: eir: Fix using strlen with
 hdev->{dev_name,short_name}
Content-Language: en-US
To:     Luiz Augusto von Dentz <luiz.dentz@gmail.com>
References: <20220528003528.571351-1-luiz.dentz@gmail.com>
Cc:     linux-bluetooth@vger.kernel.org
From:   Paul Menzel <pmenzel@molgen.mpg.de>
In-Reply-To: <20220528003528.571351-1-luiz.dentz@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk

Dear Luiz,


Thank you for your patch.

Am 28.05.22 um 02:35 schrieb Luiz Augusto von Dentz:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> 
> Both dev_name and short_name are not guaranteed to be NULL terminated so
> this instead use strnlen and then attempt to determine if the resulting

The *this* does not seem to belong into the sentence.

> string needs to be truncated or not.
> 
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=216018
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

Should this be tagged for the stable series?


Kind regards,

Paul


> ---
>   net/bluetooth/eir.c  | 41 ++++++++++++++++++++++++++---------------
>   net/bluetooth/mgmt.c |  4 ++--
>   2 files changed, 28 insertions(+), 17 deletions(-)
> 
> diff --git a/net/bluetooth/eir.c b/net/bluetooth/eir.c
> index 7d77fb00c2bf..776d27f7e18d 100644
> --- a/net/bluetooth/eir.c
> +++ b/net/bluetooth/eir.c
> @@ -13,6 +13,20 @@
>   
>   #define PNP_INFO_SVCLASS_ID		0x1200
>   
> +static u8 eir_append_name(u8 *eir, u16 eir_len, u8 type, u8 *data, u8 data_len)
> +{
> +	u8 name[HCI_MAX_SHORT_NAME_LENGTH + 1];
> +
> +	/* If data is already NULL terminated just pass it directly */
> +	if (data[data_len - 1] == '\0')
> +		return eir_append_data(eir, eir_len, type, data, data_len);
> +
> +	memcpy(name, data, HCI_MAX_SHORT_NAME_LENGTH);
> +	name[HCI_MAX_SHORT_NAME_LENGTH] = '\0';
> +
> +	return eir_append_data(eir, eir_len, type, name, sizeof(name));
> +}
> +
>   u8 eir_append_local_name(struct hci_dev *hdev, u8 *ptr, u8 ad_len)
>   {
>   	size_t short_len;
> @@ -23,29 +37,26 @@ u8 eir_append_local_name(struct hci_dev *hdev, u8 *ptr, u8 ad_len)
>   		return ad_len;
>   
>   	/* use complete name if present and fits */
> -	complete_len = strlen(hdev->dev_name);
> +	complete_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
>   	if (complete_len && complete_len <= HCI_MAX_SHORT_NAME_LENGTH)
> -		return eir_append_data(ptr, ad_len, EIR_NAME_COMPLETE,
> +		return eir_append_name(ptr, ad_len, EIR_NAME_COMPLETE,
>   				       hdev->dev_name, complete_len + 1);
>   
>   	/* use short name if present */
> -	short_len = strlen(hdev->short_name);
> +	short_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
>   	if (short_len)
> -		return eir_append_data(ptr, ad_len, EIR_NAME_SHORT,
> -				       hdev->short_name, short_len + 1);
> +		return eir_append_name(ptr, ad_len, EIR_NAME_SHORT,
> +				       hdev->short_name,
> +				       short_len == HCI_MAX_SHORT_NAME_LENGTH ?
> +				       short_len : short_len + 1);
>   
>   	/* use shortened full name if present, we already know that name
>   	 * is longer then HCI_MAX_SHORT_NAME_LENGTH
>   	 */
> -	if (complete_len) {
> -		u8 name[HCI_MAX_SHORT_NAME_LENGTH + 1];
> -
> -		memcpy(name, hdev->dev_name, HCI_MAX_SHORT_NAME_LENGTH);
> -		name[HCI_MAX_SHORT_NAME_LENGTH] = '\0';
> -
> -		return eir_append_data(ptr, ad_len, EIR_NAME_SHORT, name,
> -				       sizeof(name));
> -	}
> +	if (complete_len)
> +		return eir_append_name(ptr, ad_len, EIR_NAME_SHORT,
> +				       hdev->dev_name,
> +				       HCI_MAX_SHORT_NAME_LENGTH);
>   
>   	return ad_len;
>   }
> @@ -181,7 +192,7 @@ void eir_create(struct hci_dev *hdev, u8 *data)
>   	u8 *ptr = data;
>   	size_t name_len;
>   
> -	name_len = strlen(hdev->dev_name);
> +	name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
>   
>   	if (name_len > 0) {
>   		/* EIR Data type */
> diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
> index cd1b300b9be7..82cc645193f2 100644
> --- a/net/bluetooth/mgmt.c
> +++ b/net/bluetooth/mgmt.c
> @@ -1082,11 +1082,11 @@ static u16 append_eir_data_to_buf(struct hci_dev *hdev, u8 *eir)
>   		eir_len = eir_append_le16(eir, eir_len, EIR_APPEARANCE,
>   					  hdev->appearance);
>   
> -	name_len = strlen(hdev->dev_name);
> +	name_len = strnlen(hdev->dev_name, sizeof(hdev->dev_name));
>   	eir_len = eir_append_data(eir, eir_len, EIR_NAME_COMPLETE,
>   				  hdev->dev_name, name_len);
>   
> -	name_len = strlen(hdev->short_name);
> +	name_len = strnlen(hdev->short_name, sizeof(hdev->short_name));
>   	eir_len = eir_append_data(eir, eir_len, EIR_NAME_SHORT,
>   				  hdev->short_name, name_len);
>