From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Wed, 28 Feb 2024 15:49:26 +0000 (-0500)
Subject: Bluetooth: hci_core: Fix possible buffer overflow
X-Git-Tag: v6.9-rc1~159^2~36^2~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81137162bfaa7278785b24c1fd2e9e74f082e8e4;p=thirdparty%2Flinux.git

Bluetooth: hci_core: Fix possible buffer overflow

struct hci_dev_info has a fixed size name[8] field so in the event that
hdev->name is bigger than that strcpy would attempt to write past its
size, so this fixes this problem by switching to use strscpy.

Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
---

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 6ca4c0df9f9c4..230d2bbb933b2 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -908,7 +908,7 @@ int hci_get_dev_info(void __user *arg)
 	else
 		flags = hdev->flags;
 
-	strcpy(di.name, hdev->name);
+	strscpy(di.name, hdev->name, sizeof(di.name));
 	di.bdaddr   = hdev->bdaddr;
 	di.type     = (hdev->bus & 0x0f) | ((hdev->dev_type & 0x03) << 4);
 	di.flags    = flags;