diff options
author | Dan Carpenter <error27@gmail.com> | 2010-08-04 19:38:06 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-08-05 16:21:25 -0400 |
commit | 4b030d4288a569d6bdeca884d7f102d951f097f2 (patch) | |
tree | 90c999a27f71fa258db88e2b859d31930d112ba3 | |
parent | ce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 (diff) |
isdn: fix information leak
The main motivation of this patch changing strcpy() to strlcpy().
We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at
best the last byte has leaked information, or maybe there is an
overflow? Anyway, this patch closes the information leaks by zeroing
the memory and the calls to strlcpy() prevent overflows.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/isdn/sc/ioctl.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/isdn/sc/ioctl.c b/drivers/isdn/sc/ioctl.c index 43c5dc3516e5..4cfdbe08ffd1 100644 --- a/drivers/isdn/sc/ioctl.c +++ b/drivers/isdn/sc/ioctl.c | |||
@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data) | |||
174 | pr_debug("%s: SCIOGETSPID: ioctl received\n", | 174 | pr_debug("%s: SCIOGETSPID: ioctl received\n", |
175 | sc_adapter[card]->devicename); | 175 | sc_adapter[card]->devicename); |
176 | 176 | ||
177 | spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL); | 177 | spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL); |
178 | if (!spid) { | 178 | if (!spid) { |
179 | kfree(rcvmsg); | 179 | kfree(rcvmsg); |
180 | return -ENOMEM; | 180 | return -ENOMEM; |
@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data) | |||
194 | kfree(rcvmsg); | 194 | kfree(rcvmsg); |
195 | return status; | 195 | return status; |
196 | } | 196 | } |
197 | strcpy(spid, rcvmsg->msg_data.byte_array); | 197 | strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE); |
198 | 198 | ||
199 | /* | 199 | /* |
200 | * Package the switch type and send to user space | 200 | * Package the switch type and send to user space |
@@ -266,12 +266,12 @@ int sc_ioctl(int card, scs_ioctl *data) | |||
266 | return status; | 266 | return status; |
267 | } | 267 | } |
268 | 268 | ||
269 | dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL); | 269 | dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL); |
270 | if (!dn) { | 270 | if (!dn) { |
271 | kfree(rcvmsg); | 271 | kfree(rcvmsg); |
272 | return -ENOMEM; | 272 | return -ENOMEM; |
273 | } | 273 | } |
274 | strcpy(dn, rcvmsg->msg_data.byte_array); | 274 | strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE); |
275 | kfree(rcvmsg); | 275 | kfree(rcvmsg); |
276 | 276 | ||
277 | /* | 277 | /* |
@@ -337,7 +337,7 @@ int sc_ioctl(int card, scs_ioctl *data) | |||
337 | pr_debug("%s: SCIOSTAT: ioctl received\n", | 337 | pr_debug("%s: SCIOSTAT: ioctl received\n", |
338 | sc_adapter[card]->devicename); | 338 | sc_adapter[card]->devicename); |
339 | 339 | ||
340 | bi = kmalloc (sizeof(boardInfo), GFP_KERNEL); | 340 | bi = kzalloc(sizeof(boardInfo), GFP_KERNEL); |
341 | if (!bi) { | 341 | if (!bi) { |
342 | kfree(rcvmsg); | 342 | kfree(rcvmsg); |
343 | return -ENOMEM; | 343 | return -ENOMEM; |