aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-12-03 22:05:12 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-12-17 10:49:03 -0800
commitd2e08635c22a9222f606062b42a7ad656f6a8584 (patch)
tree8cdb9a5a59e76bd01ecdf64cf92e093fc4e7b6cd
parentcde5ccfd7fff61f9b652dc7b42a40168e3e45f93 (diff)
downloadkernel_samsung_smdk4412-d2e08635c22a9222f606062b42a7ad656f6a8584.zip
kernel_samsung_smdk4412-d2e08635c22a9222f606062b42a7ad656f6a8584.tar.gz
kernel_samsung_smdk4412-d2e08635c22a9222f606062b42a7ad656f6a8584.tar.bz2
telephony: ijx: buffer overflow in ixj_write_cid()
[Not needed in 3.8 or newer as this driver is removed there. - gregkh] We get this from user space and nothing has been done to ensure that these strings are NUL terminated. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/telephony/ixj.c24
1 files changed, 12 insertions, 12 deletions
diff --git a/drivers/telephony/ixj.c b/drivers/telephony/ixj.c
index d5f923b..e1abb45 100644
--- a/drivers/telephony/ixj.c
+++ b/drivers/telephony/ixj.c
@@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j)
ixj_fsk_alloc(j);
- strcpy(sdmf1, j->cid_send.month);
- strcat(sdmf1, j->cid_send.day);
- strcat(sdmf1, j->cid_send.hour);
- strcat(sdmf1, j->cid_send.min);
- strcpy(sdmf2, j->cid_send.number);
- strcpy(sdmf3, j->cid_send.name);
+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
len1 = strlen(sdmf1);
len2 = strlen(sdmf2);
@@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j)
ixj_pre_cid(j);
}
j->flags.cidcw_ack = 0;
- strcpy(sdmf1, j->cid_send.month);
- strcat(sdmf1, j->cid_send.day);
- strcat(sdmf1, j->cid_send.hour);
- strcat(sdmf1, j->cid_send.min);
- strcpy(sdmf2, j->cid_send.number);
- strcpy(sdmf3, j->cid_send.name);
+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
len1 = strlen(sdmf1);
len2 = strlen(sdmf2);