Patchwork [3.5.y.z,extended,stable] Patch "Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Jan. 31, 2013, 10:09 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/217284/
State New
Headers show


Herton Ronaldo Krzesinski - Jan. 31, 2013, 10:09 p.m.
This is a note to let you know that I have just added a patch titled

    Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 22905c8a90ddae615d4774857cea10bc679afcae Mon Sep 17 00:00:00 2001
From: Anderson Lizardo <>
Date: Sun, 6 Jan 2013 18:28:53 -0400
Subject: [PATCH] Bluetooth: Fix incorrect strncpy() in hidp_setup_hid()

commit 0a9ab9bdb3e891762553f667066190c1d22ad62b upstream.

The length parameter should be sizeof(req->name) - 1 because there is no
guarantee that string provided by userspace will contain the trailing

Can be easily reproduced by manually setting req->name to 128 non-zero
bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on
input subsystem:

$ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name

("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys"
field in struct hid_device due to overflow.)

Signed-off-by: Anderson Lizardo <>
Acked-by: Marcel Holtmann <>
Signed-off-by: Gustavo Padovan <>
[ herton: adjust context ]
Signed-off-by: Herton Ronaldo Krzesinski <>
 net/bluetooth/hidp/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)



diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c
index 2c20d76..217359b 100644
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -949,7 +949,7 @@  static int hidp_setup_hid(struct hidp_session *session,
 	hid->version = req->version;
 	hid->country = req->country;

-	strncpy(hid->name, req->name, 128);
+	strncpy(hid->name, req->name, sizeof(req->name) - 1);
 	strncpy(hid->phys, batostr(&bt_sk(session->ctrl_sock->sk)->src), 64);
 	strncpy(hid->uniq, batostr(&bt_sk(session->ctrl_sock->sk)->dst), 64);