Re: [PATCH] Bluetooth: hidp: fix buffer overflow

From: Marcel Holtmann
Date: Tue Apr 23 2019 - 13:05:03 EST


Hi Young,


> Struct ca is copied from userspace. It is not checked whether the "name"
> field is NULL terminated, which allows local users to obtain potentially
> sensitive information from kernel stack memory, via a HIDPCONNADD command.
>
> This vulnerability is similar to CVE-2011-1079.
>
> Signed-off-by: Young Xiao <YangX92@xxxxxxxxxxx>
> ---
> net/bluetooth/hidp/sock.c | 1 +
> 1 file changed, 1 insertion(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel