summaryrefslogtreecommitdiff
path: root/tools/btproxy.c
diff options
context:
space:
mode:
authorERAMOTO Masaya <eramoto.masaya@jp.fujitsu.com>2017-10-04 15:25:34 +0900
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>2017-10-05 16:40:00 +0300
commit53347040ad76de23b72ba024948e82a938ab6ad6 (patch)
tree48eeea5c7839acde512bf68dec9e59635560cd69 /tools/btproxy.c
parent9e997ed2f528ff50e7394b33447a91937e939cf3 (diff)
downloadbluez-53347040ad76de23b72ba024948e82a938ab6ad6.tar.gz
tools/btproxy: Fix buffer overflow with unix socket
btproyx with a unix socket has the similar problem as btmon as below. So this patch fixes btproxy by the similar way as btmon. *** strcpy_chk: buffer overflow detected ***: program terminated at 0x4C3085C: ??? (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x4C34E46: __strcpy_chk (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x401B74: strcpy (string3.h:110) by 0x401B74: open_unix (btproxy.c:625) by 0x401B74: main (btproxy.c:901)
Diffstat (limited to 'tools/btproxy.c')
-rw-r--r--tools/btproxy.c20
1 files changed, 17 insertions, 3 deletions
diff --git a/tools/btproxy.c b/tools/btproxy.c
index f06661d5c..ae0ff744b 100644
--- a/tools/btproxy.c
+++ b/tools/btproxy.c
@@ -610,8 +610,15 @@ static void server_callback(int fd, uint32_t events, void *user_data)
static int open_unix(const char *path)
{
struct sockaddr_un addr;
+ size_t len;
int fd;
+ len = strlen(path);
+ if (len > sizeof(addr.sun_path) - 1) {
+ fprintf(stderr, "Path too long\n");
+ return -1;
+ }
+
unlink(path);
fd = socket(PF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0);
@@ -622,7 +629,7 @@ static int open_unix(const char *path)
memset(&addr, 0, sizeof(addr));
addr.sun_family = AF_UNIX;
- strcpy(addr.sun_path, path);
+ strncpy(addr.sun_path, path, len);
if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
perror("Failed to bind Unix server socket");
@@ -797,9 +804,16 @@ int main(int argc, char *argv[])
server_address = "0.0.0.0";
break;
case 'u':
- if (optarg)
+ if (optarg) {
+ struct sockaddr_un addr;
+
unix_path = optarg;
- else
+ if (strlen(unix_path) >
+ sizeof(addr.sun_path) - 1) {
+ fprintf(stderr, "Path too long\n");
+ return EXIT_FAILURE;
+ }
+ } else
unix_path = "/tmp/bt-server-bredr";
break;
case 'p':