From 85d24e1c313cba60ce2baf708b01a5d22e3f6e4a Mon Sep 17 00:00:00 2001 From: Karsten Keil Date: Mon, 21 Jan 2008 00:11:35 +0200 Subject: [PATCH] isdn: avoid copying overly-long strings (CVE-2007-6063) Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9416 Signed-off-by: Karsten Keil Signed-off-by: Adrian Bunk --- drivers/isdn/i4l/isdn_net.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c index 96c115e13389..81c88fb6968f 100644 --- a/drivers/isdn/i4l/isdn_net.c +++ b/drivers/isdn/i4l/isdn_net.c @@ -2126,7 +2126,7 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup) u_long flags; isdn_net_dev *p; isdn_net_phone *n; - char nr[32]; + char nr[ISDN_MSNLEN]; char *my_eaz; /* Search name in netdev-chain */ @@ -2135,7 +2135,7 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup) nr[1] = '\0'; printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n"); } else - strcpy(nr, setup->phone); + strlcpy(nr, setup->phone, ISDN_MSNLEN); si1 = (int) setup->si1; si2 = (int) setup->si2; if (!setup->eazmsn[0]) { @@ -2804,7 +2804,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg) chidx = -1; } } - strcpy(lp->msn, cfg->eaz); + strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn)); lp->pre_device = drvidx; lp->pre_channel = chidx; lp->onhtime = cfg->onhtime; @@ -2953,7 +2953,7 @@ isdn_net_addphone(isdn_net_ioctl_phone * phone) if (p) { if (!(n = (isdn_net_phone *) kmalloc(sizeof(isdn_net_phone), GFP_KERNEL))) return -ENOMEM; - strcpy(n->num, phone->phone); + strlcpy(n->num, phone->phone, sizeof(n->num)); n->next = p->local->phone[phone->outgoing & 1]; p->local->phone[phone->outgoing & 1] = n; return 0; -- 2.39.2