Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow

Commit Message

Colin King Aug. 4, 2021, 3:09 p.m. UTC

From: Colin Ian King <colin.king@canonical.com>

An earlier commit replaced using batostr to using %pMR sprintf for the
construction of session->name. Static analysis detected that this new
method can use a total of 21 characters (including the trailing '\0')
so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
buffer overflows.

Addresses-Coverity: ("Out-of-bounds write")
Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/bluetooth/cmtp/cmtp.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Marcel Holtmann Aug. 5, 2021, 1:06 p.m. UTC | #1

Hi Colin,

> An earlier commit replaced using batostr to using %pMR sprintf for the
> construction of session->name. Static analysis detected that this new
> method can use a total of 21 characters (including the trailing '\0')
> so we need to increase the BTNAMSIZ from 18 to 21 to fix potential
> buffer overflows.
> 
> Addresses-Coverity: ("Out-of-bounds write")
> Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> ---
> net/bluetooth/cmtp/cmtp.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)

patch has been applied to bluetooth-next tree.

Regards

Marcel

Patch

diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h
index c32638dddbf9..f6b9dc4e408f 100644
--- a/net/bluetooth/cmtp/cmtp.h
+++ b/net/bluetooth/cmtp/cmtp.h
@@ -26,7 +26,7 @@ 
 #include <linux/types.h>
 #include <net/bluetooth/bluetooth.h>
 
-#define BTNAMSIZ 18
+#define BTNAMSIZ 21
 
 /* CMTP ioctl defines */
 #define CMTPCONNADD	_IOW('C', 200, int)