[PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow

From: Colin King
Date: Wed Aug 04 2021 - 11:09:57 EST

Next message: Fabio M. De Francesco: "Re: [PATCH] staging: r8188eu: core: Remove rtw_mfree_all_stainfo()"
Previous message: Colin Ian King: "Re: [PATCH][next[next]] scsi: qla2xxx: Remove redundant initialization of variable num_cnt"
Next in thread: Marcel Holtmann: "Re: [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Colin Ian King <colin.king@xxxxxxxxxxxxx>

An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
---
net/bluetooth/cmtp/cmtp.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index c32638dddbf9..f6b9dc4e408f 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -26,7 +26,7 @@
#include <linux/types.h>
#include <net/bluetooth/bluetooth.h>

-#define BTNAMSIZ 18
+#define BTNAMSIZ 21

/* CMTP ioctl defines */
#define CMTPCONNADD _IOW('C', 200, int)
--
2.31.1

Next message: Fabio M. De Francesco: "Re: [PATCH] staging: r8188eu: core: Remove rtw_mfree_all_stainfo()"
Previous message: Colin Ian King: "Re: [PATCH][next[next]] scsi: qla2xxx: Remove redundant initialization of variable num_cnt"
Next in thread: Marcel Holtmann: "Re: [PATCH] Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]