From this bug report :
https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714
--- bluez-utils/pand/bnep.c
+++ bluez-utils/pand/bnep.c
@@ -184,13 +184,13 @@
{
struct bnep_connadd_req req;
- strcpy(req.device, dev);
+ strncpy(req.device, dev, 16);
req.sock = sk;
req.role = role;
req.flow_label = 0; /* 0 == Best Effort QoS */
if (ioctl(ctl, bnepconnadd, &req))
return -1;
- strcpy(dev, req.device);
+ strncpy(dev, req.device, 16);
return 0;
}
=== modified file 'bluez-utils/pand/main.c'
--- bluez-utils/pand/main.c
+++ bluez-utils/pand/main.c
@@ -182,6 +182,8 @@
while (!terminate) {
socklen_t alen = sizeof(l2a);
int nsk;
+ char this_netdev[16];
+
nsk = accept(sk, (struct sockaddr *) &l2a, &alen);
if (nsk < 0) {
syslog(LOG_ERR, "Accept failed. %s(%d)", strerror(errno), errno);
@@ -197,14 +199,14 @@
close(nsk);
continue;
}
-
- if (!bnep_accept_connection(nsk, role, netdev)) {
+ strncpy(this_netdev, netdev, 16);
+ if (!bnep_accept_connection(nsk, role, this_netdev)) {
char str[40];
ba2str(&l2a.l2_bdaddr, str);
syslog(LOG_INFO, "New connection from %s %s", str, netdev);
- run_devup(netdev, str, sk, nsk);
+ run_devup(this_netdev, str, sk, nsk);
} else {
syslog(LOG_ERR, "Connection failed. %s(%d)",
strerror(errno), errno);
@@ -608,7 +610,7 @@
break;
case 'e':
- strcpy(netdev, optarg);
+ strncpy(netdev, optarg, 16);
break;
case 'n':
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Charles,
> While we at that, there is another possible vuln...
>
> http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded
>
> Tested in Ubuntu bluez-utils-2.24 and 2.20
>
> Any fix ideas?
it is already fixed in the CVS, but don't get me started on this one
again. However to remind people. The hcidump tool is a development tool
and not for daily use in any production system. Non of the parsers are
bullet proof and actually never will be. The Bluetooth code inside the
Linux kernel however is robust against these kind of attacks.
Regards
Marcel
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi again,
While we at that, there is another possible vuln...
http://www.securityfocus.com/archive/1/archive/1/424133/100/0/threaded
Tested in Ubuntu bluez-utils-2.24 and 2.20
Any fix ideas?
--
charles
Marcel Holtmann wrote:
>Hi Charles,
>
>
>
>> From this bug report :
>>
>>https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714
>>
>>
>
>I actually reworked the complete patch. The variable names and the
>coding style was not acceptable. We use tabs instead of whitespaces.
>
>And of course strncpy doesn't include the \0 character, so you need to
>take care of this too. However a patch for it is in the CVS now.
>
>Regards
>
>Marcel
>
>
>
>
>-------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
>for problems? Stop! Download the new AJAX search engine that makes
>searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
>http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
>_______________________________________________
>Bluez-devel mailing list
>[email protected]
>https://lists.sourceforge.net/lists/listinfo/bluez-devel
>
>
>
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Charles,
> From this bug report :
>
> https://launchpad.net/distros/ubuntu/+source/bluez-utils/+bug/6714
I actually reworked the complete patch. The variable names and the
coding style was not acceptable. We use tabs instead of whitespaces.
And of course strncpy doesn't include the \0 character, so you need to
take care of this too. However a patch for it is in the CVS now.
Regards
Marcel
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel