mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-04 16:15:11 +00:00
mISDN: make sure device name is NUL terminated
[ Upstream commit ccfb62f27b
]
The user can change the device_name with the IMSETDEVNAME ioctl, but we
need to ensure that the user's name is NUL terminated. Otherwise it
could result in a buffer overflow when we copy the name back to the user
with IMGETDEVINFO ioctl.
I also changed two strcpy() calls which handle the name to strscpy().
Hopefully, there aren't any other ways to create a too long name, but
it's nice to do this as a kernel hardening measure.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
parent
8a58d4a26b
commit
dca534e301
1 changed files with 3 additions and 2 deletions
|
@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
|||
memcpy(di.channelmap, dev->channelmap,
|
||||
sizeof(di.channelmap));
|
||||
di.nrbchan = dev->nrbchan;
|
||||
strcpy(di.name, dev_name(&dev->dev));
|
||||
strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
|
||||
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
||||
err = -EFAULT;
|
||||
} else
|
||||
|
@ -678,7 +678,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
|||
memcpy(di.channelmap, dev->channelmap,
|
||||
sizeof(di.channelmap));
|
||||
di.nrbchan = dev->nrbchan;
|
||||
strcpy(di.name, dev_name(&dev->dev));
|
||||
strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
|
||||
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
||||
err = -EFAULT;
|
||||
} else
|
||||
|
@ -692,6 +692,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
|||
err = -EFAULT;
|
||||
break;
|
||||
}
|
||||
dn.name[sizeof(dn.name) - 1] = '\0';
|
||||
dev = get_mdevice(dn.id);
|
||||
if (dev)
|
||||
err = device_rename(&dev->dev, dn.name);
|
||||
|
|
Loading…
Reference in a new issue