aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2010-08-04 19:38:06 -0400
committerDavid S. Miller <davem@davemloft.net>2010-08-05 16:21:25 -0400
commit4b030d4288a569d6bdeca884d7f102d951f097f2 (patch)
tree90c999a27f71fa258db88e2b859d31930d112ba3
parentce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 (diff)
isdn: fix information leak
The main motivation of this patch changing strcpy() to strlcpy(). We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at best the last byte has leaked information, or maybe there is an overflow? Anyway, this patch closes the information leaks by zeroing the memory and the calls to strlcpy() prevent overflows. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/sc/ioctl.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/isdn/sc/ioctl.c b/drivers/isdn/sc/ioctl.c
index 43c5dc3516e5..4cfdbe08ffd1 100644
--- a/drivers/isdn/sc/ioctl.c
+++ b/drivers/isdn/sc/ioctl.c
@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
174 pr_debug("%s: SCIOGETSPID: ioctl received\n", 174 pr_debug("%s: SCIOGETSPID: ioctl received\n",
175 sc_adapter[card]->devicename); 175 sc_adapter[card]->devicename);
176 176
177 spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL); 177 spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
178 if (!spid) { 178 if (!spid) {
179 kfree(rcvmsg); 179 kfree(rcvmsg);
180 return -ENOMEM; 180 return -ENOMEM;
@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
194 kfree(rcvmsg); 194 kfree(rcvmsg);
195 return status; 195 return status;
196 } 196 }
197 strcpy(spid, rcvmsg->msg_data.byte_array); 197 strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
198 198
199 /* 199 /*
200 * Package the switch type and send to user space 200 * Package the switch type and send to user space
@@ -266,12 +266,12 @@ int sc_ioctl(int card, scs_ioctl *data)
266 return status; 266 return status;
267 } 267 }
268 268
269 dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL); 269 dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
270 if (!dn) { 270 if (!dn) {
271 kfree(rcvmsg); 271 kfree(rcvmsg);
272 return -ENOMEM; 272 return -ENOMEM;
273 } 273 }
274 strcpy(dn, rcvmsg->msg_data.byte_array); 274 strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
275 kfree(rcvmsg); 275 kfree(rcvmsg);
276 276
277 /* 277 /*
@@ -337,7 +337,7 @@ int sc_ioctl(int card, scs_ioctl *data)
337 pr_debug("%s: SCIOSTAT: ioctl received\n", 337 pr_debug("%s: SCIOSTAT: ioctl received\n",
338 sc_adapter[card]->devicename); 338 sc_adapter[card]->devicename);
339 339
340 bi = kmalloc (sizeof(boardInfo), GFP_KERNEL); 340 bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
341 if (!bi) { 341 if (!bi) {
342 kfree(rcvmsg); 342 kfree(rcvmsg);
343 return -ENOMEM; 343 return -ENOMEM;