Commit eafe1aa37e6ec2d56f14732b5240c4dd09f0613a
Committed by
Linus Torvalds
1 parent
92d499d991
I4L: fix isdn_ioctl memory overrun vulnerability
Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by: Karsten Keil <kkeil@suse.de> Cc: ADLAB <adlab@venustech.com.cn> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 4 additions and 1 deletions Side-by-side Diff
drivers/isdn/i4l/isdn_common.c
... | ... | @@ -1515,6 +1515,7 @@ |
1515 | 1515 | if (copy_from_user(&iocts, argp, |
1516 | 1516 | sizeof(isdn_ioctl_struct))) |
1517 | 1517 | return -EFAULT; |
1518 | + iocts.drvid[sizeof(iocts.drvid)-1] = 0; | |
1518 | 1519 | if (strlen(iocts.drvid)) { |
1519 | 1520 | if ((p = strchr(iocts.drvid, ','))) |
1520 | 1521 | *p = 0; |
... | ... | @@ -1599,6 +1600,7 @@ |
1599 | 1600 | if (copy_from_user(&iocts, argp, |
1600 | 1601 | sizeof(isdn_ioctl_struct))) |
1601 | 1602 | return -EFAULT; |
1603 | + iocts.drvid[sizeof(iocts.drvid)-1] = 0; | |
1602 | 1604 | if (strlen(iocts.drvid)) { |
1603 | 1605 | drvidx = -1; |
1604 | 1606 | for (i = 0; i < ISDN_MAX_DRIVERS; i++) |
... | ... | @@ -1643,7 +1645,7 @@ |
1643 | 1645 | } else { |
1644 | 1646 | p = (char __user *) iocts.arg; |
1645 | 1647 | for (i = 0; i < 10; i++) { |
1646 | - sprintf(bname, "%s%s", | |
1648 | + snprintf(bname, sizeof(bname), "%s%s", | |
1647 | 1649 | strlen(dev->drv[drvidx]->msn2eaz[i]) ? |
1648 | 1650 | dev->drv[drvidx]->msn2eaz[i] : "_", |
1649 | 1651 | (i < 9) ? "," : "\0"); |
... | ... | @@ -1673,6 +1675,7 @@ |
1673 | 1675 | char *p; |
1674 | 1676 | if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) |
1675 | 1677 | return -EFAULT; |
1678 | + iocts.drvid[sizeof(iocts.drvid)-1] = 0; | |
1676 | 1679 | if (strlen(iocts.drvid)) { |
1677 | 1680 | if ((p = strchr(iocts.drvid, ','))) |
1678 | 1681 | *p = 0; |