* net/bluetooth/cmtp/core.c: potential buffer overrun in session->name
@ 2021-08-04 9:08 Colin Ian King
2021-08-04 14:46 ` Marcel Holtmann
0 siblings, 1 reply; 2+ messages in thread
From: Colin Ian King @ 2021-08-04 9:08 UTC (permalink / raw)
To: Marcel Holtmann, Johan Hedberg, Luiz Augusto von Dentz; +Cc: linux-bluetooth
Hi,
Static analysis with Coverity has detected a potential buffer overrun
with a sprintf into session->name in function cmtp_add_connection in
net/bluetooth/cmtp/core.c
The analysis is as follows:
Out-of-bounds write (OVERRUN)
sprintf_overrun: sprintf will overrun its first argument session->name
which can accommodate 18 bytes. The number of bytes written may be 21
bytes, including the terminating null.
363 sprintf(session->name, "%pMR", &session->bdaddr);
So, %pMR produces can potentially produce 0x............MR\0 (where . is
a hex digit) so this accounts for 21 chars. session->name is defined as:
char name[BTNAMSIZ];
and BTNAMSIZE is:
#define BTNAMSIZ 18
Although an obvious fix is to increase BTNAMSIZE to 21 I'm not sure if
this is actually the correct fix.
Colin
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: net/bluetooth/cmtp/core.c: potential buffer overrun in session->name
2021-08-04 9:08 net/bluetooth/cmtp/core.c: potential buffer overrun in session->name Colin Ian King
@ 2021-08-04 14:46 ` Marcel Holtmann
0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2021-08-04 14:46 UTC (permalink / raw)
To: Colin Ian King; +Cc: Johan Hedberg, Luiz Augusto von Dentz, linux-bluetooth
Hi Colin,
> Static analysis with Coverity has detected a potential buffer overrun
> with a sprintf into session->name in function cmtp_add_connection in
> net/bluetooth/cmtp/core.c
>
> The analysis is as follows:
>
> Out-of-bounds write (OVERRUN)
> sprintf_overrun: sprintf will overrun its first argument session->name
> which can accommodate 18 bytes. The number of bytes written may be 21
> bytes, including the terminating null.
>
> 363 sprintf(session->name, "%pMR", &session->bdaddr);
>
> So, %pMR produces can potentially produce 0x............MR\0 (where . is
> a hex digit) so this accounts for 21 chars. session->name is defined as:
>
> char name[BTNAMSIZ];
>
> and BTNAMSIZE is:
>
> #define BTNAMSIZ 18
>
> Although an obvious fix is to increase BTNAMSIZE to 21 I'm not sure if
> this is actually the correct fix.
go for it.
Regards
Marcel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-04 14:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-04 9:08 net/bluetooth/cmtp/core.c: potential buffer overrun in session->name Colin Ian King
2021-08-04 14:46 ` Marcel Holtmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).