| From dan.carpenter@oracle.com Tue Dec 11 13:26:39 2012 |
| From: Dan Carpenter <dan.carpenter@oracle.com> |
| Date: Mon, 3 Dec 2012 22:05:12 +0300 |
| Subject: telephony: ijx: buffer overflow in ixj_write_cid() |
| To: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| Message-ID: <20121203190512.GA9273@elgon.mountain> |
| |
| [Not needed in 3.8 or newer as this driver is removed there. - gregkh] |
| |
| We get this from user space and nothing has been done to ensure that |
| these strings are NUL terminated. |
| |
| Reported-by: Chen Gang <gang.chen@asianux.com> |
| Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/staging/telephony/ixj.c | 24 ++++++++++++------------ |
| 1 file changed, 12 insertions(+), 12 deletions(-) |
| |
| --- a/drivers/staging/telephony/ixj.c |
| +++ b/drivers/staging/telephony/ixj.c |
| @@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j) |
| |
| ixj_fsk_alloc(j); |
| |
| - strcpy(sdmf1, j->cid_send.month); |
| - strcat(sdmf1, j->cid_send.day); |
| - strcat(sdmf1, j->cid_send.hour); |
| - strcat(sdmf1, j->cid_send.min); |
| - strcpy(sdmf2, j->cid_send.number); |
| - strcpy(sdmf3, j->cid_send.name); |
| + strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1)); |
| + strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2)); |
| + strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3)); |
| |
| len1 = strlen(sdmf1); |
| len2 = strlen(sdmf2); |
| @@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j) |
| ixj_pre_cid(j); |
| } |
| j->flags.cidcw_ack = 0; |
| - strcpy(sdmf1, j->cid_send.month); |
| - strcat(sdmf1, j->cid_send.day); |
| - strcat(sdmf1, j->cid_send.hour); |
| - strcat(sdmf1, j->cid_send.min); |
| - strcpy(sdmf2, j->cid_send.number); |
| - strcpy(sdmf3, j->cid_send.name); |
| + strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1)); |
| + strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1)); |
| + strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2)); |
| + strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3)); |
| |
| len1 = strlen(sdmf1); |
| len2 = strlen(sdmf2); |