diff options
author | Karsten Keil <kkeil@suse.de> | 2007-12-01 15:16:15 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-12-03 11:13:17 -0500 |
commit | eafe1aa37e6ec2d56f14732b5240c4dd09f0613a (patch) | |
tree | dafc5d13db02f72f7657e69c51016a3963075bb9 /drivers | |
parent | 92d499d991ec4f5cbd00d6f33967eab9d3ee8d6c (diff) |
I4L: fix isdn_ioctl memory overrun vulnerability
Fix possible memory overrun issue in the isdn ioctl code.
Found by ADLAB <adlab@venustech.com.cn>
Signed-off-by: Karsten Keil <kkeil@suse.de>
Cc: ADLAB <adlab@venustech.com.cn>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/isdn/i4l/isdn_common.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c index c6df2925ebd0..d6952959d72a 100644 --- a/drivers/isdn/i4l/isdn_common.c +++ b/drivers/isdn/i4l/isdn_common.c | |||
@@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) | |||
1515 | if (copy_from_user(&iocts, argp, | 1515 | if (copy_from_user(&iocts, argp, |
1516 | sizeof(isdn_ioctl_struct))) | 1516 | sizeof(isdn_ioctl_struct))) |
1517 | return -EFAULT; | 1517 | return -EFAULT; |
1518 | iocts.drvid[sizeof(iocts.drvid)-1] = 0; | ||
1518 | if (strlen(iocts.drvid)) { | 1519 | if (strlen(iocts.drvid)) { |
1519 | if ((p = strchr(iocts.drvid, ','))) | 1520 | if ((p = strchr(iocts.drvid, ','))) |
1520 | *p = 0; | 1521 | *p = 0; |
@@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) | |||
1599 | if (copy_from_user(&iocts, argp, | 1600 | if (copy_from_user(&iocts, argp, |
1600 | sizeof(isdn_ioctl_struct))) | 1601 | sizeof(isdn_ioctl_struct))) |
1601 | return -EFAULT; | 1602 | return -EFAULT; |
1603 | iocts.drvid[sizeof(iocts.drvid)-1] = 0; | ||
1602 | if (strlen(iocts.drvid)) { | 1604 | if (strlen(iocts.drvid)) { |
1603 | drvidx = -1; | 1605 | drvidx = -1; |
1604 | for (i = 0; i < ISDN_MAX_DRIVERS; i++) | 1606 | for (i = 0; i < ISDN_MAX_DRIVERS; i++) |
@@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) | |||
1643 | } else { | 1645 | } else { |
1644 | p = (char __user *) iocts.arg; | 1646 | p = (char __user *) iocts.arg; |
1645 | for (i = 0; i < 10; i++) { | 1647 | for (i = 0; i < 10; i++) { |
1646 | sprintf(bname, "%s%s", | 1648 | snprintf(bname, sizeof(bname), "%s%s", |
1647 | strlen(dev->drv[drvidx]->msn2eaz[i]) ? | 1649 | strlen(dev->drv[drvidx]->msn2eaz[i]) ? |
1648 | dev->drv[drvidx]->msn2eaz[i] : "_", | 1650 | dev->drv[drvidx]->msn2eaz[i] : "_", |
1649 | (i < 9) ? "," : "\0"); | 1651 | (i < 9) ? "," : "\0"); |
@@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg) | |||
1673 | char *p; | 1675 | char *p; |
1674 | if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) | 1676 | if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) |
1675 | return -EFAULT; | 1677 | return -EFAULT; |
1678 | iocts.drvid[sizeof(iocts.drvid)-1] = 0; | ||
1676 | if (strlen(iocts.drvid)) { | 1679 | if (strlen(iocts.drvid)) { |
1677 | if ((p = strchr(iocts.drvid, ','))) | 1680 | if ((p = strchr(iocts.drvid, ','))) |
1678 | *p = 0; | 1681 | *p = 0; |