mISDN: make sure device name is NUL terminated
The user can change the device_name with the IMSETDEVNAME ioctl, but we need to ensure that the user's name is NUL terminated. Otherwise it could result in a buffer overflow when we copy the name back to the user with IMGETDEVINFO ioctl. I also changed two strcpy() calls which handle the name to strscpy(). Hopefully, there aren't any other ways to create a too long name, but it's nice to do this as a kernel hardening measure. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
c1e85c6ce5
commit
ccfb62f27b
|
@ -393,7 +393,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
||||||
memcpy(di.channelmap, dev->channelmap,
|
memcpy(di.channelmap, dev->channelmap,
|
||||||
sizeof(di.channelmap));
|
sizeof(di.channelmap));
|
||||||
di.nrbchan = dev->nrbchan;
|
di.nrbchan = dev->nrbchan;
|
||||||
strcpy(di.name, dev_name(&dev->dev));
|
strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
|
||||||
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
||||||
err = -EFAULT;
|
err = -EFAULT;
|
||||||
} else
|
} else
|
||||||
|
@ -676,7 +676,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
||||||
memcpy(di.channelmap, dev->channelmap,
|
memcpy(di.channelmap, dev->channelmap,
|
||||||
sizeof(di.channelmap));
|
sizeof(di.channelmap));
|
||||||
di.nrbchan = dev->nrbchan;
|
di.nrbchan = dev->nrbchan;
|
||||||
strcpy(di.name, dev_name(&dev->dev));
|
strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
|
||||||
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
if (copy_to_user((void __user *)arg, &di, sizeof(di)))
|
||||||
err = -EFAULT;
|
err = -EFAULT;
|
||||||
} else
|
} else
|
||||||
|
@ -690,6 +690,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
|
||||||
err = -EFAULT;
|
err = -EFAULT;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
dn.name[sizeof(dn.name) - 1] = '\0';
|
||||||
dev = get_mdevice(dn.id);
|
dev = get_mdevice(dn.id);
|
||||||
if (dev)
|
if (dev)
|
||||||
err = device_rename(&dev->dev, dn.name);
|
err = device_rename(&dev->dev, dn.name);
|
||||||
|
|
Loading…
Reference in New Issue