Message ID | 1555053870-31588-1-git-send-email-92siuyang@gmail.com |
---|---|
State | Awaiting Upstream |
Delegated to: | David Miller |
Headers | show |
Series | Bluetooth: hidp: fix buffer overflow | expand |
Hi Young, > Struct ca is copied from userspace. It is not checked whether the "name" > field is NULL terminated, which allows local users to obtain potentially > sensitive information from kernel stack memory, via a HIDPCONNADD command. > > This vulnerability is similar to CVE-2011-1079. > > Signed-off-by: Young Xiao <YangX92@hotmail.com> > --- > net/bluetooth/hidp/sock.c | 1 + > 1 file changed, 1 insertion(+) patch has been applied to bluetooth-next tree. Regards Marcel
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c index 9f85a19..2151913 100644 --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c @@ -75,6 +75,7 @@ static int do_hidp_sock_ioctl(struct socket *sock, unsigned int cmd, void __user sockfd_put(csock); return err; } + ca.name[sizeof(ca.name)-1] = 0; err = hidp_connection_add(&ca, csock, isock); if (!err && copy_to_user(argp, &ca, sizeof(ca)))