Hi, Static analysis with Coverity has detected a potential buffer overrun with a sprintf into session->name in function cmtp_add_connection in net/bluetooth/cmtp/core.c The analysis is as follows: Out-of-bounds write (OVERRUN) sprintf_overrun: sprintf will overrun its first argument session->name which can accommodate 18 bytes. The number of bytes written may be 21 bytes, including the terminating null. 363 sprintf(session->name, "%pMR", &session->bdaddr); So, %pMR produces can potentially produce 0x............MR\0 (where . is a hex digit) so this accounts for 21 chars. session->name is defined as: char name[BTNAMSIZ]; and BTNAMSIZE is: #define BTNAMSIZ 18 Although an obvious fix is to increase BTNAMSIZE to 21 I'm not sure if this is actually the correct fix. Colin
