| Message ID | 1297680871-11617-1-git-send-email-segoon@openwall.com |
|---|---|
| State | Not Applicable, archived |
| Delegated to: | David Miller |
| Headers | show |
Hi Vasiliy, * Vasiliy Kulikov <segoon@openwall.com> [2011-02-14 13:54:31 +0300]: > Struct ca is copied from userspace. It is not checked whether the "device" > field is NULL terminated. This potentially leads to BUG() inside of > alloc_netdev_mqs() and/or information leak by creating a device with a name > made of contents of kernel stack. > > Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> > --- > Compile tested. > > net/bluetooth/bnep/sock.c | 1 + > 1 files changed, 1 insertions(+), 0 deletions(-) Applied, thanks.
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c index 2862f53..30faaf1 100644 --- a/net/bluetooth/bnep/sock.c +++ b/net/bluetooth/bnep/sock.c @@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long sockfd_put(nsock); return -EBADFD; } + ca.device[sizeof(ca.device)-1] = 0; err = bnep_add_connection(&ca, nsock); if (!err) {
Struct ca is copied from userspace. It is not checked whether the "device" field is NULL terminated. This potentially leads to BUG() inside of alloc_netdev_mqs() and/or information leak by creating a device with a name made of contents of kernel stack. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> --- Compile tested. net/bluetooth/bnep/sock.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)