]>
Commit | Line | Data |
---|---|---|
a15a8890 SL |
1 | From 677db97411bfb724aaf32ebb0fdca2a0b0ac25bd Mon Sep 17 00:00:00 2001 |
2 | From: Dan Carpenter <dan.carpenter@oracle.com> | |
3 | Date: Wed, 22 May 2019 11:45:13 +0300 | |
4 | Subject: mISDN: make sure device name is NUL terminated | |
5 | ||
6 | [ Upstream commit ccfb62f27beb295103e9392462b20a6ed807d0ea ] | |
7 | ||
8 | The user can change the device_name with the IMSETDEVNAME ioctl, but we | |
9 | need to ensure that the user's name is NUL terminated. Otherwise it | |
10 | could result in a buffer overflow when we copy the name back to the user | |
11 | with IMGETDEVINFO ioctl. | |
12 | ||
13 | I also changed two strcpy() calls which handle the name to strscpy(). | |
14 | Hopefully, there aren't any other ways to create a too long name, but | |
15 | it's nice to do this as a kernel hardening measure. | |
16 | ||
17 | Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> | |
18 | Signed-off-by: David S. Miller <davem@davemloft.net> | |
19 | Signed-off-by: Sasha Levin <sashal@kernel.org> | |
20 | --- | |
21 | drivers/isdn/mISDN/socket.c | 5 +++-- | |
22 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
23 | ||
24 | diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c | |
25 | index b2abc44fa5cb..a73337b74f41 100644 | |
26 | --- a/drivers/isdn/mISDN/socket.c | |
27 | +++ b/drivers/isdn/mISDN/socket.c | |
28 | @@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) | |
29 | memcpy(di.channelmap, dev->channelmap, | |
30 | sizeof(di.channelmap)); | |
31 | di.nrbchan = dev->nrbchan; | |
32 | - strcpy(di.name, dev_name(&dev->dev)); | |
33 | + strscpy(di.name, dev_name(&dev->dev), sizeof(di.name)); | |
34 | if (copy_to_user((void __user *)arg, &di, sizeof(di))) | |
35 | err = -EFAULT; | |
36 | } else | |
37 | @@ -677,7 +677,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) | |
38 | memcpy(di.channelmap, dev->channelmap, | |
39 | sizeof(di.channelmap)); | |
40 | di.nrbchan = dev->nrbchan; | |
41 | - strcpy(di.name, dev_name(&dev->dev)); | |
42 | + strscpy(di.name, dev_name(&dev->dev), sizeof(di.name)); | |
43 | if (copy_to_user((void __user *)arg, &di, sizeof(di))) | |
44 | err = -EFAULT; | |
45 | } else | |
46 | @@ -691,6 +691,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) | |
47 | err = -EFAULT; | |
48 | break; | |
49 | } | |
50 | + dn.name[sizeof(dn.name) - 1] = '\0'; | |
51 | dev = get_mdevice(dn.id); | |
52 | if (dev) | |
53 | err = device_rename(&dev->dev, dn.name); | |
54 | -- | |
55 | 2.20.1 | |
56 |