mISDN: make sure device name is NUL terminated

The user can change the device_name with the IMSETDEVNAME ioctl, but we
need to ensure that the user's name is NUL terminated.  Otherwise it
could result in a buffer overflow when we copy the name back to the user
with IMGETDEVINFO ioctl.

I also changed two strcpy() calls which handle the name to strscpy().
Hopefully, there aren't any other ways to create a too long name, but
it's nice to do this as a kernel hardening measure.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Dan Carpenter 2019-05-22 11:45:13 +03:00 committed by David S. Miller
parent c1e85c6ce5
commit ccfb62f27b
1 changed files with 3 additions and 2 deletions

View File

@ -393,7 +393,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
memcpy(di.channelmap, dev->channelmap, memcpy(di.channelmap, dev->channelmap,
sizeof(di.channelmap)); sizeof(di.channelmap));
di.nrbchan = dev->nrbchan; di.nrbchan = dev->nrbchan;
strcpy(di.name, dev_name(&dev->dev)); strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
if (copy_to_user((void __user *)arg, &di, sizeof(di))) if (copy_to_user((void __user *)arg, &di, sizeof(di)))
err = -EFAULT; err = -EFAULT;
} else } else
@ -676,7 +676,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
memcpy(di.channelmap, dev->channelmap, memcpy(di.channelmap, dev->channelmap,
sizeof(di.channelmap)); sizeof(di.channelmap));
di.nrbchan = dev->nrbchan; di.nrbchan = dev->nrbchan;
strcpy(di.name, dev_name(&dev->dev)); strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
if (copy_to_user((void __user *)arg, &di, sizeof(di))) if (copy_to_user((void __user *)arg, &di, sizeof(di)))
err = -EFAULT; err = -EFAULT;
} else } else
@ -690,6 +690,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
err = -EFAULT; err = -EFAULT;
break; break;
} }
dn.name[sizeof(dn.name) - 1] = '\0';
dev = get_mdevice(dn.id); dev = get_mdevice(dn.id);
if (dev) if (dev)
err = device_rename(&dev->dev, dn.name); err = device_rename(&dev->dev, dn.name);