From: Colin Ian King <colin.king@canonical.com>
Date: Wed, 4 Aug 2021 15:09:51 +0000 (+0100)
Subject: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow
X-Git-Tag: v5.4.146~64
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5537dc810b2abf95eea37d96dfe16419c7760ea4;p=thirdparty%2Fkernel%2Fstable.git

Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow

[ Upstream commit 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d ]

An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index c32638dddbf94..f6b9dc4e408f2 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -26,7 +26,7 @@
 #include <linux/types.h>
 #include <net/bluetooth/bluetooth.h>
 
-#define BTNAMSIZ 18
+#define BTNAMSIZ 21
 
 /* CMTP ioctl defines */
 #define CMTPCONNADD	_IOW('C', 200, int)