From 21acf2283cacf0c029f2cea82380f4744a1dbcb5 Mon Sep 17 00:00:00 2001 From: Anderson Lizardo Date: Sun, 6 Jan 2013 11:26:52 -0400 Subject: [PATCH] input: Fix buffer overflow when parsing HID SDP record If Service Description for HID service is greater than 126 characters, req->name will overflow while being concatenated with Provider Name. Fix by reserving space for the whitespace used for separator. --- profiles/input/device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/profiles/input/device.c b/profiles/input/device.c index 9ab7509e1..6c152f3c5 100644 --- a/profiles/input/device.c +++ b/profiles/input/device.c @@ -212,7 +212,7 @@ static void extract_hid_record(sdp_record_t *rec, struct hidp_connadd_req *req) if (pdlist) { if (pdlist2) { if (strncmp(pdlist->val.str, pdlist2->val.str, 5)) { - strncpy(req->name, pdlist2->val.str, 127); + strncpy(req->name, pdlist2->val.str, 126); strcat(req->name, " "); } strncat(req->name, pdlist->val.str, 127 - strlen(req->name)); -- 2.47.3