summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <error27@gmail.com>2010-08-05 03:38:06 +0400
committerDavid S. Miller <davem@davemloft.net>2010-08-06 00:21:25 +0400
commit4b030d4288a569d6bdeca884d7f102d951f097f2 (patch)
tree90c999a27f71fa258db88e2b859d31930d112ba3
parentce9e76c8450fc248d3e1fc16ef05e6eb50c02fa5 (diff)
downloadlinux-4b030d4288a569d6bdeca884d7f102d951f097f2.tar.xz
isdn: fix information leak
The main motivation of this patch changing strcpy() to strlcpy(). We strcpy() to copy a 48 byte buffers into a 49 byte buffers. So at best the last byte has leaked information, or maybe there is an overflow? Anyway, this patch closes the information leaks by zeroing the memory and the calls to strlcpy() prevent overflows. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/sc/ioctl.c10
1 files changed, 5 insertions, 5 deletions
diff --git a/drivers/isdn/sc/ioctl.c b/drivers/isdn/sc/ioctl.c
index 43c5dc3516e5..4cfdbe08ffd1 100644
--- a/drivers/isdn/sc/ioctl.c
+++ b/drivers/isdn/sc/ioctl.c
@@ -174,7 +174,7 @@ int sc_ioctl(int card, scs_ioctl *data)
pr_debug("%s: SCIOGETSPID: ioctl received\n",
sc_adapter[card]->devicename);
- spid = kmalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
+ spid = kzalloc(SCIOC_SPIDSIZE, GFP_KERNEL);
if (!spid) {
kfree(rcvmsg);
return -ENOMEM;
@@ -194,7 +194,7 @@ int sc_ioctl(int card, scs_ioctl *data)
kfree(rcvmsg);
return status;
}
- strcpy(spid, rcvmsg->msg_data.byte_array);
+ strlcpy(spid, rcvmsg->msg_data.byte_array, SCIOC_SPIDSIZE);
/*
* Package the switch type and send to user space
@@ -266,12 +266,12 @@ int sc_ioctl(int card, scs_ioctl *data)
return status;
}
- dn = kmalloc(SCIOC_DNSIZE, GFP_KERNEL);
+ dn = kzalloc(SCIOC_DNSIZE, GFP_KERNEL);
if (!dn) {
kfree(rcvmsg);
return -ENOMEM;
}
- strcpy(dn, rcvmsg->msg_data.byte_array);
+ strlcpy(dn, rcvmsg->msg_data.byte_array, SCIOC_DNSIZE);
kfree(rcvmsg);
/*
@@ -337,7 +337,7 @@ int sc_ioctl(int card, scs_ioctl *data)
pr_debug("%s: SCIOSTAT: ioctl received\n",
sc_adapter[card]->devicename);
- bi = kmalloc (sizeof(boardInfo), GFP_KERNEL);
+ bi = kzalloc(sizeof(boardInfo), GFP_KERNEL);
if (!bi) {
kfree(rcvmsg);
return -ENOMEM;