Commit c819df1d authored by Dan Carpenter's avatar Dan Carpenter Committed by Stefan Bader

mISDN: make sure device name is NUL terminated

BugLink: https://bugs.launchpad.net/bugs/1836666

[ Upstream commit ccfb62f2 ]

The user can change the device_name with the IMSETDEVNAME ioctl, but we
need to ensure that the user's name is NUL terminated.  Otherwise it
could result in a buffer overflow when we copy the name back to the user
with IMGETDEVINFO ioctl.

I also changed two strcpy() calls which handle the name to strscpy().
Hopefully, there aren't any other ways to create a too long name, but
it's nice to do this as a kernel hardening measure.
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent b7aafa8e
...@@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ...@@ -394,7 +394,7 @@ data_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
memcpy(di.channelmap, dev->channelmap, memcpy(di.channelmap, dev->channelmap,
sizeof(di.channelmap)); sizeof(di.channelmap));
di.nrbchan = dev->nrbchan; di.nrbchan = dev->nrbchan;
strcpy(di.name, dev_name(&dev->dev)); strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
if (copy_to_user((void __user *)arg, &di, sizeof(di))) if (copy_to_user((void __user *)arg, &di, sizeof(di)))
err = -EFAULT; err = -EFAULT;
} else } else
...@@ -678,7 +678,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ...@@ -678,7 +678,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
memcpy(di.channelmap, dev->channelmap, memcpy(di.channelmap, dev->channelmap,
sizeof(di.channelmap)); sizeof(di.channelmap));
di.nrbchan = dev->nrbchan; di.nrbchan = dev->nrbchan;
strcpy(di.name, dev_name(&dev->dev)); strscpy(di.name, dev_name(&dev->dev), sizeof(di.name));
if (copy_to_user((void __user *)arg, &di, sizeof(di))) if (copy_to_user((void __user *)arg, &di, sizeof(di)))
err = -EFAULT; err = -EFAULT;
} else } else
...@@ -692,6 +692,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg) ...@@ -692,6 +692,7 @@ base_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
err = -EFAULT; err = -EFAULT;
break; break;
} }
dn.name[sizeof(dn.name) - 1] = '\0';
dev = get_mdevice(dn.id); dev = get_mdevice(dn.id);
if (dev) if (dev)
err = device_rename(&dev->dev, dn.name); err = device_rename(&dev->dev, dn.name);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment