* [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
@ 2021-08-04 15:09 Colin King
2021-08-04 16:12 ` bluez.test.bot
2021-08-05 13:06 ` [PATCH] " Marcel Holtmann
0 siblings, 2 replies; 3+ messages in thread
From: Colin King @ 2021-08-04 15:09 UTC (permalink / raw)
To: Karsten Keil, Marcel Holtmann, Johan Hedberg,
Luiz Augusto von Dentz, David S . Miller, Jakub Kicinski,
Andrei Emeltchenko, Gustavo Padovan, netdev, linux-bluetooth
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.
Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
net/bluetooth/cmtp/cmtp.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index c32638dddbf9..f6b9dc4e408f 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -26,7 +26,7 @@
#include <linux/types.h>
#include <net/bluetooth/bluetooth.h>
-#define BTNAMSIZ 18
+#define BTNAMSIZ 21
/* CMTP ioctl defines */
#define CMTPCONNADD _IOW('C', 200, int)
--
2.31.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* RE: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
2021-08-04 15:09 [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow Colin King
@ 2021-08-04 16:12 ` bluez.test.bot
2021-08-05 13:06 ` [PATCH] " Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2021-08-04 16:12 UTC (permalink / raw)
To: linux-bluetooth, colin.king
[-- Attachment #1: Type: text/plain, Size: 3710 bytes --]
This is automated email and please do not reply to this email!
Dear submitter,
Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=526383
---Test result---
Test Summary:
CheckPatch FAIL 0.41 seconds
GitLint FAIL 0.10 seconds
BuildKernel PASS 515.44 seconds
TestRunner: Setup PASS 338.90 seconds
TestRunner: l2cap-tester PASS 2.58 seconds
TestRunner: bnep-tester PASS 1.88 seconds
TestRunner: mgmt-tester PASS 31.34 seconds
TestRunner: rfcomm-tester PASS 2.08 seconds
TestRunner: sco-tester PASS 2.00 seconds
TestRunner: smp-tester FAIL 2.05 seconds
TestRunner: userchan-tester PASS 1.91 seconds
Details
##############################
Test: CheckPatch - FAIL - 0.41 seconds
Run checkpatch.pl script with rule in .checkpatch.conf
Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
WARNING: Unknown commit id 'fcb73338ed53', maybe rebased or not pulled?
#14:
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
total: 0 errors, 1 warnings, 0 checks, 8 lines checked
NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.
"[PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential" has style problems, please review.
NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS.
##############################
Test: GitLint - FAIL - 0.10 seconds
Run gitlint with rule in .gitlint
Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
1: T1 Title exceeds max length (73>72): "Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow"
10: B1 Line exceeds max length (84>80): "Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")"
##############################
Test: BuildKernel - PASS - 515.44 seconds
Build Kernel with minimal configuration supports Bluetooth
##############################
Test: TestRunner: Setup - PASS - 338.90 seconds
Setup environment for running Test Runner
##############################
Test: TestRunner: l2cap-tester - PASS - 2.58 seconds
Run test-runner with l2cap-tester
Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: bnep-tester - PASS - 1.88 seconds
Run test-runner with bnep-tester
Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: mgmt-tester - PASS - 31.34 seconds
Run test-runner with mgmt-tester
Total: 448, Passed: 445 (99.3%), Failed: 0, Not Run: 3
##############################
Test: TestRunner: rfcomm-tester - PASS - 2.08 seconds
Run test-runner with rfcomm-tester
Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: sco-tester - PASS - 2.00 seconds
Run test-runner with sco-tester
Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
##############################
Test: TestRunner: smp-tester - FAIL - 2.05 seconds
Run test-runner with smp-tester
Total: 8, Passed: 7 (87.5%), Failed: 1, Not Run: 0
Failed Test Cases
SMP Client - SC Request 2 Failed 0.020 seconds
##############################
Test: TestRunner: userchan-tester - PASS - 1.91 seconds
Run test-runner with userchan-tester
Total: 3, Passed: 3 (100.0%), Failed: 0, Not Run: 0
---
Regards,
Linux Bluetooth
[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 44385 bytes --]
[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3592 bytes --]
[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 616862 bytes --]
[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11712 bytes --]
[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 9947 bytes --]
[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11740 bytes --]
[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 5489 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
2021-08-04 15:09 [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow Colin King
2021-08-04 16:12 ` bluez.test.bot
@ 2021-08-05 13:06 ` Marcel Holtmann
1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2021-08-05 13:06 UTC (permalink / raw)
To: Colin King
Cc: Karsten Keil, Johan Hedberg, Luiz Augusto von Dentz,
David S. Miller, Jakub Kicinski, Andrei Emeltchenko,
Gustavo Padovan, open list:NETWORKING [GENERAL],
BlueZ, kernel-janitors, linux-kernel
Hi Colin,
> An earlier commit replaced using batostr to using %pMR sprintf for the
> construction of session->name. Static analysis detected that this new
> method can use a total of 21 characters (including the trailing '\0')
> so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
> buffer overflows.
>
> Addresses-Coverity: ("Out-of-bounds write")
> Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> net/bluetooth/cmtp/cmtp.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
patch has been applied to bluetooth-next tree.
Regards
Marcel
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-05 13:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-04 15:09 [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow Colin King
2021-08-04 16:12 ` bluez.test.bot
2021-08-05 13:06 ` [PATCH] " Marcel Holtmann
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.