I4L: fix isdn_ioctl memory overrun vulnerability

Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by: Karsten Keil <kkeil@suse.de> Cc: ADLAB <adlab@venustech.com.cn> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

I4L: fix isdn_ioctl memory overrun vulnerability
Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by: Karsten Keil <kkeil@suse.de> Cc: ADLAB <adlab@venustech.com.cn> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Karsten Keil · Linus Torvalds
1 parent 92d499d991
Showing 1 changed file with 4 additions and 1 deletions Side-by-side Diff
drivers/isdn/i4l/isdn_common.c
@@ -1515,6 +1515,7 @@
 					if (copy_from_user(&iocts, argp,
 					     sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						if ((p = strchr(iocts.drvid, ',')))
 							*p = 0;
@@ -1599,6 +1600,7 @@
 					if (copy_from_user(&iocts, argp,
 					     sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						drvidx = -1;
 						for (i = 0; i < ISDN_MAX_DRIVERS; i++)
@@ -1643,7 +1645,7 @@
 					} else {
 						p = (char __user *) iocts.arg;
 						for (i = 0; i < 10; i++) {
-							sprintf(bname, "%s%s",
+							snprintf(bname, sizeof(bname), "%s%s",
 								strlen(dev->drv[drvidx]->msn2eaz[i]) ?
 								dev->drv[drvidx]->msn2eaz[i] : "_",
 								(i < 9) ? "," : "\0");
@@ -1673,6 +1675,7 @@
 					char *p;
 					if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						if ((p = strchr(iocts.drvid, ',')))
 							*p = 0;
...	...	@@ -1515,6 +1515,7 @@
1515	1515	if (copy_from_user(&iocts, argp,
1516	1516	sizeof(isdn_ioctl_struct)))
1517	1517	return -EFAULT;
	1518	+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
1518	1519	if (strlen(iocts.drvid)) {
1519	1520	if ((p = strchr(iocts.drvid, ',')))
1520	1521	*p = 0;
...	...	@@ -1599,6 +1600,7 @@
1599	1600	if (copy_from_user(&iocts, argp,
1600	1601	sizeof(isdn_ioctl_struct)))
1601	1602	return -EFAULT;
	1603	+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
1602	1604	if (strlen(iocts.drvid)) {
1603	1605	drvidx = -1;
1604	1606	for (i = 0; i < ISDN_MAX_DRIVERS; i++)
...	...	@@ -1643,7 +1645,7 @@
1643	1645	} else {
1644	1646	p = (char __user *) iocts.arg;
1645	1647	for (i = 0; i < 10; i++) {
1646		- sprintf(bname, "%s%s",
	1648	+ snprintf(bname, sizeof(bname), "%s%s",
1647	1649	strlen(dev->drv[drvidx]->msn2eaz[i]) ?
1648	1650	dev->drv[drvidx]->msn2eaz[i] : "_",
1649	1651	(i < 9) ? "," : "\0");
...	...	@@ -1673,6 +1675,7 @@
1673	1675	char *p;
1674	1676	if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
1675	1677	return -EFAULT;
	1678	+ iocts.drvid[sizeof(iocts.drvid)-1] = 0;
1676	1679	if (strlen(iocts.drvid)) {
1677	1680	if ((p = strchr(iocts.drvid, ',')))
1678	1681	*p = 0;