Fix security problem with escape characters in device name

author: Marcel Holtmann <marcel@holtmann.org> 2005-08-05 04:28:34 +0000
committer: Marcel Holtmann <marcel@holtmann.org> 2005-08-05 04:28:34 +0000
commit: e41fb20b888901da7c29bc9fa096f6cc4b6b3542 (patch)
tree: 0e08be392156f4a6fed0c79ab74f653058220b96 /hcid/security.c
parent: 69ae05c1fc41eba63442939e1ea69433271de3da (diff)
1 files changed, 12 insertions, 6 deletions
diff --git a/hcid/security.c b/hcid/security.c
index 7dfa4a17..718fff3d 100644
--- a/hcid/security.c
+++ b/hcid/security.c
@@ -302,7 +302,7 @@ static void call_pin_helper(int dev, bdaddr_t *sba, struct hci_conn_info *ci)
 {
 	pin_code_reply_cp pr;
 	struct sigaction sa;
-	char addr[18], str[255], *pin, name[249];
+	char addr[18], str[512], *pin, name[249], tmp[499], *ptr;
 	FILE *pipe;
 	int i, ret, len;
 
@@ -327,14 +327,20 @@ static void call_pin_helper(int dev, bdaddr_t *sba, struct hci_conn_info *ci)
 	read_device_name(sba, &ci->bdaddr, name);
 	//hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
 
+	memset(tmp, 0, sizeof(tmp));
+	ptr = tmp;
+
 	for (i = 0; i < 248 && name[i]; i++)
-		if (!isprint(name[i]))
-			name[i] = '.';
-	name[248] = '\0';
+		if (isprint(name[i])) {
+			if (name[i] == '"')
+				*ptr++ = '\\';
+			*ptr++ = name[i];
+		} else
+			*ptr++ = '.';
 
 	ba2str(&ci->bdaddr, addr);
-	snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
-					ci->out ? "out" : "in", addr, name);
+	snprintf(str, sizeof(str), "%s %s %s \"%s\"", hcid.pin_helper,
+					ci->out ? "out" : "in", addr, tmp);
 
 	setenv("PATH", "/bin:/usr/bin:/usr/local/bin", 1);
author	Marcel Holtmann <marcel@holtmann.org>	2005-08-05 04:28:34 +0000
committer	Marcel Holtmann <marcel@holtmann.org>	2005-08-05 04:28:34 +0000
commit	e41fb20b888901da7c29bc9fa096f6cc4b6b3542 (patch)
tree	0e08be392156f4a6fed0c79ab74f653058220b96 /hcid/security.c
parent	69ae05c1fc41eba63442939e1ea69433271de3da (diff)