From e41fb20b888901da7c29bc9fa096f6cc4b6b3542 Mon Sep 17 00:00:00 2001
From: Marcel Holtmann <marcel@holtmann.org>
Date: Fri, 5 Aug 2005 04:28:34 +0000
Subject: Fix security problem with escape characters in device name

---
 hcid/security.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/hcid/security.c b/hcid/security.c
index 7dfa4a17..718fff3d 100644
--- a/hcid/security.c
+++ b/hcid/security.c
@@ -302,7 +302,7 @@ static void call_pin_helper(int dev, bdaddr_t *sba, struct hci_conn_info *ci)
 {
 	pin_code_reply_cp pr;
 	struct sigaction sa;
-	char addr[18], str[255], *pin, name[249];
+	char addr[18], str[512], *pin, name[249], tmp[499], *ptr;
 	FILE *pipe;
 	int i, ret, len;
 
@@ -327,14 +327,20 @@ static void call_pin_helper(int dev, bdaddr_t *sba, struct hci_conn_info *ci)
 	read_device_name(sba, &ci->bdaddr, name);
 	//hci_remote_name(dev, &ci->bdaddr, sizeof(name), name, 0);
 
+	memset(tmp, 0, sizeof(tmp));
+	ptr = tmp;
+
 	for (i = 0; i < 248 && name[i]; i++)
-		if (!isprint(name[i]))
-			name[i] = '.';
-	name[248] = '\0';
+		if (isprint(name[i])) {
+			if (name[i] == '"')
+				*ptr++ = '\\';
+			*ptr++ = name[i];
+		} else
+			*ptr++ = '.';
 
 	ba2str(&ci->bdaddr, addr);
-	snprintf(str, sizeof(str), "%s %s %s \'%s\'", hcid.pin_helper,
-					ci->out ? "out" : "in", addr, name);
+	snprintf(str, sizeof(str), "%s %s %s \"%s\"", hcid.pin_helper,
+					ci->out ? "out" : "in", addr, tmp);
 
 	setenv("PATH", "/bin:/usr/bin:/usr/local/bin", 1);
 
-- 
cgit