From: Aristeu Rozanski <arozansk@redhat.com>
Date: Wed, 30 Jan 2008 09:35:45 -0500
Subject: [isdn] fix possible isdn_net buffer overflows
Message-id: 20080130143545.GB30104@redhat.com
O-Subject: [RHEL5 PATCH] isdn: fix possible isdn_net buffer overflows
Bugzilla: 392161
https://bugzilla.redhat.com/show_bug.cgi?id=392161
This patch prevent possible buffer overflows when handling strings.
Upstream: 0f13864e5b24d9cbe18d125d41bfa4b726a82e40
(CVE-2007-6063)
Acked-by: James Morris <jmorris@redhat.com>
diff --git a/drivers/isdn/i4l/isdn_net.c b/drivers/isdn/i4l/isdn_net.c
index 43da8ae..87249fe 100644
--- a/drivers/isdn/i4l/isdn_net.c
+++ b/drivers/isdn/i4l/isdn_net.c
@@ -2125,7 +2125,7 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup)
u_long flags;
isdn_net_dev *p;
isdn_net_phone *n;
- char nr[32];
+ char nr[ISDN_MSNLEN];
char *my_eaz;
/* Search name in netdev-chain */
@@ -2134,7 +2134,7 @@ isdn_net_find_icall(int di, int ch, int idx, setup_parm *setup)
nr[1] = '\0';
printk(KERN_INFO "isdn_net: Incoming call without OAD, assuming '0'\n");
} else
- strcpy(nr, setup->phone);
+ strlcpy(nr, setup->phone, ISDN_MSNLEN);
si1 = (int) setup->si1;
si2 = (int) setup->si2;
if (!setup->eazmsn[0]) {
@@ -2803,7 +2803,7 @@ isdn_net_setcfg(isdn_net_ioctl_cfg * cfg)
chidx = -1;
}
}
- strcpy(lp->msn, cfg->eaz);
+ strlcpy(lp->msn, cfg->eaz, sizeof(lp->msn));
lp->pre_device = drvidx;
lp->pre_channel = chidx;
lp->onhtime = cfg->onhtime;
@@ -2952,7 +2952,7 @@ isdn_net_addphone(isdn_net_ioctl_phone * phone)
if (p) {
if (!(n = (isdn_net_phone *) kmalloc(sizeof(isdn_net_phone), GFP_KERNEL)))
return -ENOMEM;
- strcpy(n->num, phone->phone);
+ strlcpy(n->num, phone->phone, sizeof(n->num));
n->next = p->local->phone[phone->outgoing & 1];
p->local->phone[phone->outgoing & 1] = n;
return 0;
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
27922b4260f65d317aabda37e42bbbff
>
files
>
1654
