git.openpandora.org
/
pandora-kernel.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
isdnloop: Validate NUL-terminated strings from user.
[pandora-kernel.git]
/
drivers
/
isdn
/
isdnloop
/
isdnloop.c
diff --git
a/drivers/isdn/isdnloop/isdnloop.c
b/drivers/isdn/isdnloop/isdnloop.c
index
d497db0
..
6a58169
100644
(file)
--- a/
drivers/isdn/isdnloop/isdnloop.c
+++ b/
drivers/isdn/isdnloop/isdnloop.c
@@
-16,7
+16,6
@@
#include <linux/sched.h>
#include "isdnloop.h"
#include <linux/sched.h>
#include "isdnloop.h"
-static char *revision = "$Revision: 1.11.6.7 $";
static char *isdnloop_id = "loop0";
MODULE_DESCRIPTION("ISDN4Linux: Pseudo Driver that simulates an ISDN card");
static char *isdnloop_id = "loop0";
MODULE_DESCRIPTION("ISDN4Linux: Pseudo Driver that simulates an ISDN card");
@@
-1071,6
+1070,12
@@
isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
return -EBUSY;
if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
return -EFAULT;
return -EBUSY;
if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
return -EFAULT;
+
+ for (i = 0; i < 3; i++) {
+ if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i])))
+ return -EINVAL;
+ }
+
spin_lock_irqsave(&card->isdnloop_lock, flags);
switch (sdef.ptype) {
case ISDN_PTYPE_EURO:
spin_lock_irqsave(&card->isdnloop_lock, flags);
switch (sdef.ptype) {
case ISDN_PTYPE_EURO:
@@
-1084,8
+1089,10
@@
isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
spin_unlock_irqrestore(&card->isdnloop_lock, flags);
return -ENOMEM;
}
spin_unlock_irqrestore(&card->isdnloop_lock, flags);
return -ENOMEM;
}
- for (i = 0; i < 3; i++)
- strcpy(card->s0num[i], sdef.num[i]);
+ for (i = 0; i < 3; i++) {
+ strlcpy(card->s0num[i], sdef.num[i],
+ sizeof(card->s0num[0]));
+ }
break;
case ISDN_PTYPE_1TR6:
if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
break;
case ISDN_PTYPE_1TR6:
if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
@@
-1098,7
+1105,7
@@
isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
spin_unlock_irqrestore(&card->isdnloop_lock, flags);
return -ENOMEM;
}
spin_unlock_irqrestore(&card->isdnloop_lock, flags);
return -ENOMEM;
}
- str
cpy(card->s0num[0], sdef.num[0]
);
+ str
lcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0])
);
card->s0num[1][0] = '\0';
card->s0num[2][0] = '\0';
break;
card->s0num[1][0] = '\0';
card->s0num[2][0] = '\0';
break;
@@
-1494,17
+1501,6
@@
isdnloop_addcard(char *id1)
static int __init
isdnloop_init(void)
{
static int __init
isdnloop_init(void)
{
- char *p;
- char rev[10];
-
- if ((p = strchr(revision, ':'))) {
- strcpy(rev, p + 1);
- p = strchr(rev, '$');
- *p = 0;
- } else
- strcpy(rev, " ??? ");
- printk(KERN_NOTICE "isdnloop-ISDN-driver Rev%s\n", rev);
-
if (isdnloop_id)
return (isdnloop_addcard(isdnloop_id));
if (isdnloop_id)
return (isdnloop_addcard(isdnloop_id));