diff options
author | Jim Meyering <meyering@redhat.com> | 2012-10-04 13:09:55 +0200 |
---|---|---|
committer | Anthony Liguori <aliguori@us.ibm.com> | 2012-10-05 07:58:37 -0500 |
commit | e5fda03839e3c61b01d6c60de5625501d01c69d0 (patch) | |
tree | c5087ac23b37454f1d35a65074178cf5208ac157 /hw/bt-hci.c | |
parent | 5847d9e1399d3497be8eeca6f3a20a18a40b114b (diff) | |
download | qemu-e5fda03839e3c61b01d6c60de5625501d01c69d0.zip qemu-e5fda03839e3c61b01d6c60de5625501d01c69d0.tar.gz qemu-e5fda03839e3c61b01d6c60de5625501d01c69d0.tar.bz2 |
bt: replace fragile snprintf use and unwarranted strncpy
In bt_hci_name_req a failed snprintf could return len larger than
sizeof(params.name), which means the following memset call would
have a "length" value of (size_t)-1, -2, etc... Sounds scary.
But currently, one can deduce that there is no problem:
strlen(slave->lmp_name) is guaranteed to be smaller than
CHANGE_LOCAL_NAME_CP_SIZE, which is the same as sizeof(params.name),
so this cannot happen. Regardless, there is no justification for
using snprintf+memset. Use pstrcpy instead.
Also, in bt_hci_event_complete_read_local_name, use pstrcpy in place
of unwarranted strncpy.
Signed-off-by: Jim Meyering <meyering@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Diffstat (limited to 'hw/bt-hci.c')
-rw-r--r-- | hw/bt-hci.c | 7 |
1 files changed, 2 insertions, 5 deletions
diff --git a/hw/bt-hci.c b/hw/bt-hci.c index a3a7fb4..47f9a4e 100644 --- a/hw/bt-hci.c +++ b/hw/bt-hci.c @@ -943,7 +943,6 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr) { struct bt_device_s *slave; evt_remote_name_req_complete params; - int len; for (slave = hci->device.net->slave; slave; slave = slave->next) if (slave->page_scan && !bacmp(&slave->bd_addr, bdaddr)) @@ -955,9 +954,7 @@ static int bt_hci_name_req(struct bt_hci_s *hci, bdaddr_t *bdaddr) params.status = HCI_SUCCESS; bacpy(¶ms.bdaddr, &slave->bd_addr); - len = snprintf(params.name, sizeof(params.name), - "%s", slave->lmp_name ?: ""); - memset(params.name + len, 0, sizeof(params.name) - len); + pstrcpy(params.name, sizeof(params.name), slave->lmp_name ?: ""); bt_hci_event(hci, EVT_REMOTE_NAME_REQ_COMPLETE, ¶ms, EVT_REMOTE_NAME_REQ_COMPLETE_SIZE); @@ -1388,7 +1385,7 @@ static inline void bt_hci_event_complete_read_local_name(struct bt_hci_s *hci) params.status = HCI_SUCCESS; memset(params.name, 0, sizeof(params.name)); if (hci->device.lmp_name) - strncpy(params.name, hci->device.lmp_name, sizeof(params.name)); + pstrcpy(params.name, sizeof(params.name), hci->device.lmp_name); bt_hci_event_complete(hci, ¶ms, READ_LOCAL_NAME_RP_SIZE); } |