From 1c195ab280da561f38e54449e4eb3d6882c69b3b Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@nokia.com>
Date: Wed, 25 Feb 2009 17:48:40 +0200
Subject: Fix strncpy length parameters to avoid non-nul-terminated strings

---
 compat/fakehid.c     | 2 +-
 compat/sdp.c         | 4 ++--
 input/device.c       | 4 ++--
 network/bridge.c     | 2 +-
 network/common.c     | 4 ++--
 network/connection.c | 4 ++--
 network/server.c     | 2 +-
 src/main.c           | 3 ++-
 test/hciemu.c        | 3 ++-
 9 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/compat/fakehid.c b/compat/fakehid.c
index bed05c36..438185d3 100644
--- a/compat/fakehid.c
+++ b/compat/fakehid.c
@@ -97,7 +97,7 @@ static int uinput_create(char *name, int keyboard, int mouse)
 	memset(&dev, 0, sizeof(dev));
 
 	if (name)
-		strncpy(dev.name, name, UINPUT_MAX_NAME_SIZE);
+		strncpy(dev.name, name, UINPUT_MAX_NAME_SIZE - 1);
 
 	dev.id.bustype = BUS_BLUETOOTH;
 	dev.id.vendor  = 0x0000;
diff --git a/compat/sdp.c b/compat/sdp.c
index bb188f6a..d411c05f 100644
--- a/compat/sdp.c
+++ b/compat/sdp.c
@@ -259,11 +259,11 @@ int get_sdp_device_info(const bdaddr_t *src, const bdaddr_t *dst, struct hidp_co
 			strncat(req->name, pdlist->val.str,
 					sizeof(req->name) - strlen(req->name));
 		} else
-			strncpy(req->name, pdlist->val.str, sizeof(req->name));
+			strncpy(req->name, pdlist->val.str, sizeof(req->name) - 1);
 	} else {
 		pdlist2 = sdp_data_get(rec, 0x0100);
 		if (pdlist2)
-			strncpy(req->name, pdlist2->val.str, sizeof(req->name));
+			strncpy(req->name, pdlist2->val.str, sizeof(req->name) - 1);
 	}
 
 	pdlist = sdp_data_get(rec, 0x0201);
diff --git a/input/device.c b/input/device.c
index a41df177..0090bd4b 100644
--- a/input/device.c
+++ b/input/device.c
@@ -177,7 +177,7 @@ static int uinput_create(char *name)
 
 	memset(&dev, 0, sizeof(dev));
 	if (name)
-		strncpy(dev.name, name, UINPUT_MAX_NAME_SIZE);
+		strncpy(dev.name, name, UINPUT_MAX_NAME_SIZE - 1);
 
 	dev.id.bustype = BUS_BLUETOOTH;
 	dev.id.vendor  = 0x0000;
@@ -635,7 +635,7 @@ static int hidp_add_connection(const struct input_device *idev,
 	}
 
 	if (idev->name)
-		strncpy(req->name, idev->name, 128);
+		strncpy(req->name, idev->name, sizeof(req->name) - 1);
 
 	/* Encryption is mandatory for keyboards */
 	if (req->subclass & 0x40) {
diff --git a/network/bridge.c b/network/bridge.c
index 7d84349e..995da5c9 100644
--- a/network/bridge.c
+++ b/network/bridge.c
@@ -120,7 +120,7 @@ int bridge_add_interface(int id, const char *dev)
 		return -ENODEV;
 
 	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, name, IFNAMSIZ);
+	strncpy(ifr.ifr_name, name, IFNAMSIZ - 1);
 	ifr.ifr_ifindex = ifindex;
 
 	err = ioctl(bridge_socket, SIOCBRADDIF, &ifr);
diff --git a/network/common.c b/network/common.c
index 371d74bf..f8967afd 100644
--- a/network/common.c
+++ b/network/common.c
@@ -262,7 +262,7 @@ int bnep_if_up(const char *devname, uint16_t id)
 
 	sd = socket(AF_INET6, SOCK_DGRAM, 0);
 	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, devname, IF_NAMESIZE);
+	strncpy(ifr.ifr_name, devname, IF_NAMESIZE - 1);
 
 	ifr.ifr_flags |= IFF_UP;
 	ifr.ifr_flags |= IFF_MULTICAST;
@@ -352,7 +352,7 @@ int bnep_if_down(const char *devname)
 done:
 	sd = socket(AF_INET6, SOCK_DGRAM, 0);
 	memset(&ifr, 0, sizeof(ifr));
-	strncpy(ifr.ifr_name, devname, IF_NAMESIZE);
+	strncpy(ifr.ifr_name, devname, IF_NAMESIZE - 1);
 
 	ifr.ifr_flags &= ~IFF_UP;
 
diff --git a/network/connection.c b/network/connection.c
index bc693aba..843a57a7 100644
--- a/network/connection.c
+++ b/network/connection.c
@@ -169,7 +169,7 @@ static gboolean bnep_watchdog_cb(GIOChannel *chan, GIOCondition cond,
 	bnep_if_down(nc->dev);
 	nc->state = DISCONNECTED;
 	memset(nc->dev, 0, 16);
-	strncpy(nc->dev, prefix, strlen(prefix));
+	strncpy(nc->dev, prefix, sizeof(nc->dev) - 1);
 	g_io_channel_shutdown(chan, TRUE, NULL);
 
 	return FALSE;
@@ -625,7 +625,7 @@ int connection_register(const char *path, bdaddr_t *src, bdaddr_t *dst,
 	nc = g_new0(struct network_conn, 1);
 	nc->id = id;
 	memset(nc->dev, 0, 16);
-	strncpy(nc->dev, prefix, strlen(prefix));
+	strncpy(nc->dev, prefix, sizeof(nc->dev) - 1);
 	nc->state = DISCONNECTED;
 	nc->peer = peer;
 
diff --git a/network/server.c b/network/server.c
index af1a8664..77a1f4b8 100644
--- a/network/server.c
+++ b/network/server.c
@@ -283,7 +283,7 @@ static int server_connadd(struct network_server *ns,
 		return -EPERM;
 
 	memset(devname, 0, 16);
-	strncpy(devname, prefix, strlen(prefix));
+	strncpy(devname, prefix, sizeof(devname) - 1);
 
 	nsk = g_io_channel_unix_get_fd(session->io);
 	err = bnep_connadd(nsk, dst_role, devname);
diff --git a/src/main.c b/src/main.c
index 80b4636e..a7afcbf8 100644
--- a/src/main.c
+++ b/src/main.c
@@ -189,7 +189,8 @@ static void parse_config(GKeyFile *config)
 		g_clear_error(&err);
 	} else {
 		debug("deviceid=%s", str);
-		strncpy(main_opts.deviceid, str, sizeof(main_opts.deviceid));
+		strncpy(main_opts.deviceid, str,
+					sizeof(main_opts.deviceid) - 1);
 		g_free(str);
 	}
 
diff --git a/test/hciemu.c b/test/hciemu.c
index 43cec1ed..9f651bc4 100644
--- a/test/hciemu.c
+++ b/test/hciemu.c
@@ -1314,7 +1314,8 @@ int main(int argc, char *argv[])
 	vdev.features[7] = 0x80;
 
 	memset(vdev.name, 0, sizeof(vdev.name));
-	strncpy((char *) vdev.name, "BlueZ (Virtual HCI)", sizeof(vdev.name));
+	strncpy((char *) vdev.name, "BlueZ (Virtual HCI)",
+							sizeof(vdev.name) - 1);
 
 	vdev.dev_class[0] = 0x00;
 	vdev.dev_class[1] = 0x00;
-- 
cgit