linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
@ 2021-08-04 15:09 Colin King
  2021-08-05 13:06 ` Marcel Holtmann
  0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2021-08-04 15:09 UTC (permalink / raw)
  To: Karsten Keil, Marcel Holtmann, Johan Hedberg,
	Luiz Augusto von Dentz, David S . Miller, Jakub Kicinski,
	Andrei Emeltchenko, Gustavo Padovan, netdev, linux-bluetooth
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/bluetooth/cmtp/cmtp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index c32638dddbf9..f6b9dc4e408f 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -26,7 +26,7 @@
 #include <linux/types.h>
 #include <net/bluetooth/bluetooth.h>
 
-#define BTNAMSIZ 18
+#define BTNAMSIZ 21
 
 /* CMTP ioctl defines */
 #define CMTPCONNADD	_IOW('C', 200, int)
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
  2021-08-04 15:09 [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow Colin King
@ 2021-08-05 13:06 ` Marcel Holtmann
  0 siblings, 0 replies; 2+ messages in thread
From: Marcel Holtmann @ 2021-08-05 13:06 UTC (permalink / raw)
  To: Colin King
  Cc: Karsten Keil, Johan Hedberg, Luiz Augusto von Dentz,
	David S. Miller, Jakub Kicinski, Andrei Emeltchenko,
	Gustavo Padovan, open list:NETWORKING [GENERAL],
	BlueZ, kernel-janitors, linux-kernel

Hi Colin,

> An earlier commit replaced using batostr to using %pMR sprintf for the
> construction of session->name. Static analysis detected that this new
> method can use a total of 21 characters (including the trailing '\0')
> so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
> buffer overflows.
> 
> Addresses-Coverity: ("Out-of-bounds write")
> Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> net/bluetooth/cmtp/cmtp.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-08-05 13:06 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-04 15:09 [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow Colin King
2021-08-05 13:06 ` Marcel Holtmann

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).