mirror of
https://github.com/joel16/android_kernel_sony_msm8994.git
synced 2024-12-12 06:49:34 +00:00
I4L: fix isdn_ioctl memory overrun vulnerability
Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB <adlab@venustech.com.cn> Signed-off-by: Karsten Keil <kkeil@suse.de> Cc: ADLAB <adlab@venustech.com.cn> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This commit is contained in:
parent
92d499d991
commit
eafe1aa37e
@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
|
||||
if (copy_from_user(&iocts, argp,
|
||||
sizeof(isdn_ioctl_struct)))
|
||||
return -EFAULT;
|
||||
iocts.drvid[sizeof(iocts.drvid)-1] = 0;
|
||||
if (strlen(iocts.drvid)) {
|
||||
if ((p = strchr(iocts.drvid, ',')))
|
||||
*p = 0;
|
||||
@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
|
||||
if (copy_from_user(&iocts, argp,
|
||||
sizeof(isdn_ioctl_struct)))
|
||||
return -EFAULT;
|
||||
iocts.drvid[sizeof(iocts.drvid)-1] = 0;
|
||||
if (strlen(iocts.drvid)) {
|
||||
drvidx = -1;
|
||||
for (i = 0; i < ISDN_MAX_DRIVERS; i++)
|
||||
@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
|
||||
} else {
|
||||
p = (char __user *) iocts.arg;
|
||||
for (i = 0; i < 10; i++) {
|
||||
sprintf(bname, "%s%s",
|
||||
snprintf(bname, sizeof(bname), "%s%s",
|
||||
strlen(dev->drv[drvidx]->msn2eaz[i]) ?
|
||||
dev->drv[drvidx]->msn2eaz[i] : "_",
|
||||
(i < 9) ? "," : "\0");
|
||||
@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct file *file, uint cmd, ulong arg)
|
||||
char *p;
|
||||
if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
|
||||
return -EFAULT;
|
||||
iocts.drvid[sizeof(iocts.drvid)-1] = 0;
|
||||
if (strlen(iocts.drvid)) {
|
||||
if ((p = strchr(iocts.drvid, ',')))
|
||||
*p = 0;
|
||||
|
Loading…
Reference in New Issue
Block a user