On Tue, 2013-06-04 at 19:23 +0200, Willy Tarreau wrote: > 2.6.32-longterm review patch. If anyone has any objections, please let me know. > > ------------------ > hidp_setup_hid() > > From: Anderson Lizardo This is missing the upstream reference. It was commit 0a9ab9bdb3e891762553f667066190c1d22ad62b. Ben. > The length parameter should be sizeof(req->name) - 1 because there is no > guarantee that string provided by userspace will contain the trailing > '\0'. > > Can be easily reproduced by manually setting req->name to 128 non-zero > bytes prior to ioctl(HIDPCONNADD) and checking the device name setup on > input subsystem: > > $ cat /sys/devices/pnp0/00\:04/tty/ttyS0/hci0/hci0\:1/input8/name > AAAAAA[...]AAAAAAAAf0:af:f0:af:f0:af > > ("f0:af:f0:af:f0:af" is the device bluetooth address, taken from "phys" > field in struct hid_device due to overflow.) > > Cc: stable@vger.kernel.org > Signed-off-by: Anderson Lizardo > Acked-by: Marcel Holtmann > Signed-off-by: Gustavo Padovan > > [backported to 2.6.32 jmm] > Signed-off-by: Willy Tarreau > --- > net/bluetooth/hidp/core.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c > index 49d8495..0c2c59d 100644 > --- a/net/bluetooth/hidp/core.c > +++ b/net/bluetooth/hidp/core.c > @@ -778,7 +778,7 @@ static int hidp_setup_hid(struct hidp_session *session, > hid->version = req->version; > hid->country = req->country; > > - strncpy(hid->name, req->name, 128); > + strncpy(hid->name, req->name, sizeof(req->name) - 1); > strncpy(hid->phys, batostr(&src), 64); > strncpy(hid->uniq, batostr(&dst), 64); > -- Ben Hutchings Theory and practice are closer in theory than in practice. - John Levine, moderator of comp.compilers