releases/3.7.1/telephony-ijx-buffer-overflow-in-ixj_write_cid.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From dan.carpenter@oracle.com  Tue Dec 11 13:26:39 2012
 From: Dan Carpenter <dan.carpenter@oracle.com>
 Date: Mon, 3 Dec 2012 22:05:12 +0300
 Subject: telephony: ijx: buffer overflow in ixj_write_cid()
 To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 Message-ID: <20121203190512.GA9273@elgon.mountain>

 [Not needed in 3.8 or newer as this driver is removed there. - gregkh]

 We get this from user space and nothing has been done to ensure that
 these strings are NUL terminated.

 Reported-by: Chen Gang <gang.chen@asianux.com>
 Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  drivers/staging/telephony/ixj.c |   24 ++++++++++++------------
  1 file changed, 12 insertions(+), 12 deletions(-)

 --- a/drivers/staging/telephony/ixj.c
 +++ b/drivers/staging/telephony/ixj.c
 @@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j)

  	ixj_fsk_alloc(j);

 -	strcpy(sdmf1, j->cid_send.month);
 -	strcat(sdmf1, j->cid_send.day);
 -	strcat(sdmf1, j->cid_send.hour);
 -	strcat(sdmf1, j->cid_send.min);
 -	strcpy(sdmf2, j->cid_send.number);
 -	strcpy(sdmf3, j->cid_send.name);
 +	strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
 +	strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
 +	strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));

  	len1 = strlen(sdmf1);
  	len2 = strlen(sdmf2);
 @@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j)
  		ixj_pre_cid(j);
  	}
  	j->flags.cidcw_ack = 0;
 -	strcpy(sdmf1, j->cid_send.month);
 -	strcat(sdmf1, j->cid_send.day);
 -	strcat(sdmf1, j->cid_send.hour);
 -	strcat(sdmf1, j->cid_send.min);
 -	strcpy(sdmf2, j->cid_send.number);
 -	strcpy(sdmf3, j->cid_send.name);
 +	strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
 +	strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
 +	strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
 +	strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));

  	len1 = strlen(sdmf1);
  	len2 = strlen(sdmf2);
	From dan.carpenter@oracle.com Tue Dec 11 13:26:39 2012
	From: Dan Carpenter <dan.carpenter@oracle.com>
	Date: Mon, 3 Dec 2012 22:05:12 +0300
	Subject: telephony: ijx: buffer overflow in ixj_write_cid()
	To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Message-ID: <20121203190512.GA9273@elgon.mountain>

	[Not needed in 3.8 or newer as this driver is removed there. - gregkh]

	We get this from user space and nothing has been done to ensure that
	these strings are NUL terminated.

	Reported-by: Chen Gang <gang.chen@asianux.com>
	Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	drivers/staging/telephony/ixj.c \| 24 ++++++++++++------------
	1 file changed, 12 insertions(+), 12 deletions(-)

	--- a/drivers/staging/telephony/ixj.c
	+++ b/drivers/staging/telephony/ixj.c
	@@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j)

	ixj_fsk_alloc(j);

	- strcpy(sdmf1, j->cid_send.month);
	- strcat(sdmf1, j->cid_send.day);
	- strcat(sdmf1, j->cid_send.hour);
	- strcat(sdmf1, j->cid_send.min);
	- strcpy(sdmf2, j->cid_send.number);
	- strcpy(sdmf3, j->cid_send.name);
	+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
	+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
	+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));

	len1 = strlen(sdmf1);
	len2 = strlen(sdmf2);
	@@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j)
	ixj_pre_cid(j);
	}
	j->flags.cidcw_ack = 0;
	- strcpy(sdmf1, j->cid_send.month);
	- strcat(sdmf1, j->cid_send.day);
	- strcat(sdmf1, j->cid_send.hour);
	- strcat(sdmf1, j->cid_send.min);
	- strcpy(sdmf2, j->cid_send.number);
	- strcpy(sdmf3, j->cid_send.name);
	+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
	+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
	+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
	+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));

	len1 = strlen(sdmf1);
	len2 = strlen(sdmf2);