Bluetooth: hidp: NUL terminate a string in the compat ioctl (dcae9052) · Commits · 戴 / test

This change is similar to commit ("Bluetooth: hidp: fix buffer overflow") but for the compat ioctl. We take a string from the user and forgot to ensure that it's NUL terminated. I have also changed the strncpy() in to strscpy() in hidp_setup_hid(). The difference is the strncpy() doesn't necessarily NUL terminate the destination string. Either change would fix the problem but it's nice to take a belt and suspenders approach and do both. Signed-off-by:

Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:

Marcel Holtmann <marcel@holtmann.org>

net/bluetooth/hidp/core.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -775,7 +775,7 @@ static int hidp_setup_hid(struct hidp_session *session,
		hid->version = req->version;
		hid->country = req->country;

		strncpy(hid->name, req->name, sizeof(hid->name));
		strscpy(hid->name, req->name, sizeof(hid->name));

		snprintf(hid->phys, sizeof(hid->phys), "%pMR",
		&l2cap_pi(session->ctrl_sock->sk)->chan->src);

net/bluetooth/hidp/sock.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -192,6 +192,7 @@ static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigne
		ca.version = ca32.version;
		ca.flags = ca32.flags;
		ca.idle_to = ca32.idle_to;
		ca32.name[sizeof(ca32.name) - 1] = '\0';
		memcpy(ca.name, ca32.name, 128);

		csock = sockfd_lookup(ca.ctrl_sock, &err);

Admin message