Skip to content

Commit

Permalink
Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer over…
Browse files Browse the repository at this point in the history 
…flow

[ Upstream commit 713baf3 ]

An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb7333 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
  • Loading branch information
@gregkh
Colin Ian King authored and gregkh committed Sep 15, 2021
1 parent f9ac25c commit f7cdfeb
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion net/bluetooth/cmtp/cmtp.h
View file
Expand Up @@ -26,7 +26,7 @@
#include <linux/types.h>
#include <net/bluetooth/bluetooth.h>

#define BTNAMSIZ 18
#define BTNAMSIZ 21

/* CMTP ioctl defines */
#define CMTPCONNADD _IOW('C', 200, int)
Expand Down

0 comments on commit f7cdfeb

Please sign in to comment.