提交 4b030d42 编写于 作者: D Dan Carpenter 提交者: David S. Miller

isdn: fix information leak

The main motivation of this patch changing strcpy() to strlcpy().
We strcpy() to copy a 48 byte buffers into a 49 byte buffers.  So at
best the last byte has leaked information, or maybe there is an
overflow?  Anyway, this patch closes the information leaks by zeroing
the memory and the calls to strlcpy() prevent overflows.
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 ce9e76c8
...@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
pr_debug("%s: SCIOGETSPID: ioctl received\n", pr_debug("%s: SCIOGETSPID: ioctl received\n",
sc_adapter[card]->devicename); sc_adapter[card]->devicename);
spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL); spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
if (!spid) { if (!spid) {
kfree(rcvmsg); kfree(rcvmsg);
return -ENOMEM; return -ENOMEM;
...@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
kfree(rcvmsg); kfree(rcvmsg);
return status; return status;
} }
strcpy(spid, rcvmsg->msg_data.byte_array); strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
/* /*
* Package the switch type and send to user space * Package the switch type and send to user space
...@@ -266,12 +266,12 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -266,12 +266,12 @@ int sc_ioctl(int card, scs_ioctl *data)
return status; return status;
} }
dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL); dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
if (!dn) { if (!dn) {
kfree(rcvmsg); kfree(rcvmsg);
return -ENOMEM; return -ENOMEM;
} }
strcpy(dn, rcvmsg->msg_data.byte_array); strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
kfree(rcvmsg); kfree(rcvmsg);
/* /*
...@@ -337,7 +337,7 @@ int sc_ioctl(int card, scs_ioctl *data) ...@@ -337,7 +337,7 @@ int sc_ioctl(int card, scs_ioctl *data)
pr_debug("%s: SCIOSTAT: ioctl received\n", pr_debug("%s: SCIOSTAT: ioctl received\n",
sc_adapter[card]->devicename); sc_adapter[card]->devicename);
bi = kmalloc (sizeof(boardInfo), GFP_KERNEL); bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
if (!bi) { if (!bi) {
kfree(rcvmsg); kfree(rcvmsg);
return -ENOMEM; return -ENOMEM;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册