Bluetooth: bnep: fix buffer overflow

commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 8ffb57f2303a5124d93d405c083b32b419bd7ecb..9a04d1379728a1a761a72e3ced49456d3167740c 100644 (file)
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -93,6 +93,7 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
                        sockfd_put(nsock);
                        return -EBADFD;
                }
+               ca.device[sizeof(ca.device)-1] = 0;
 
                err = bnep_add_connection(&ca, nsock);
                if (!err) {