Commit 81566800 authored Apr 03, 2018 by Arnd Bergmann Committed by Razziell Jun 07, 2019

bluetooth: fix hci name overflow



gcc-8 warns that the index of the hci device could overflow the eight
character array:

net/bluetooth/hci_core.c: In function 'hci_register_dev':
net/bluetooth/hci_core.c:3093:26: error: '%d' directive writing between 1 and 10 bytes into a region of size 5 [-Werror=format-overflow=]
  sprintf(hdev->name, "hci%d", id);
                          ^~
net/bluetooth/hci_core.c:3093:22: note: directive argument in the range [0, 2147483647]
  sprintf(hdev->name, "hci%d", id);
                      ^~~~~~~
net/bluetooth/hci_core.c:3093:2: note: 'sprintf' output between 5 and 14 bytes into a destination of size 8
  sprintf(hdev->name, "hci%d", id);

This uses snprintf() to enforce a valid string, and limits the range of
the integer to 0..9999. In practice this should not matter as we would
not be able connect more than 9999 bluetooth hci's simultaneously.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Albert I <krascgq@outlook.co.id>

parent b64633d9

net/bluetooth/hci_core.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -4082,13 +4082,14 @@ int hci_register_dev(struct hci_dev *hdev)

		/* Do not allow HCI_AMP devices to register at index 0,
		* so the index can be used as the AMP controller ID.
		* Ensure the name fits into eight characters id < 10000.
		*/
		switch (hdev->dev_type) {
		case HCI_BREDR:
		id = ida_simple_get(&hci_index_ida, 0, 0, GFP_KERNEL);
		id = ida_simple_get(&hci_index_ida, 0, 10000, GFP_KERNEL);
		break;
		case HCI_AMP:
		id = ida_simple_get(&hci_index_ida, 1, 0, GFP_KERNEL);
		id = ida_simple_get(&hci_index_ida, 1, 10000, GFP_KERNEL);
		break;
		default:
		return -EINVAL;
		@@ -4097,7 +4098,7 @@ int hci_register_dev(struct hci_dev *hdev)
		if (id < 0)
		return id;

		sprintf(hdev->name, "hci%d", id);
		snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
		hdev->id = id;

		BT_DBG("%pK name %s bus %d", hdev, hdev->name, hdev->bus);