summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2012-12-03 22:05:12 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2012-12-17 11:06:53 -0800
commit83c9bff26b4445bfaebbe9317d4ad73f69c68fe6 (patch)
treefa63ff44ac029b08693b3ca4cbe1207645190ad3
parentec92de46a243f6d014c8c42276b4b0cd72c4c9c5 (diff)
downloadlwn-83c9bff26b4445bfaebbe9317d4ad73f69c68fe6.tar.gz
lwn-83c9bff26b4445bfaebbe9317d4ad73f69c68fe6.zip
telephony: ijx: buffer overflow in ixj_write_cid()
[Not needed in 3.8 or newer as this driver is removed there. - gregkh] We get this from user space and nothing has been done to ensure that these strings are NUL terminated. Reported-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/staging/telephony/ixj.c24
1 files changed, 12 insertions, 12 deletions
diff --git a/drivers/staging/telephony/ixj.c b/drivers/staging/telephony/ixj.c
index 1cfa0b07d725..cf6aa83b03df 100644
--- a/drivers/staging/telephony/ixj.c
+++ b/drivers/staging/telephony/ixj.c
@@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j)
ixj_fsk_alloc(j);
- strcpy(sdmf1, j->cid_send.month);
- strcat(sdmf1, j->cid_send.day);
- strcat(sdmf1, j->cid_send.hour);
- strcat(sdmf1, j->cid_send.min);
- strcpy(sdmf2, j->cid_send.number);
- strcpy(sdmf3, j->cid_send.name);
+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
len1 = strlen(sdmf1);
len2 = strlen(sdmf2);
@@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j)
ixj_pre_cid(j);
}
j->flags.cidcw_ack = 0;
- strcpy(sdmf1, j->cid_send.month);
- strcat(sdmf1, j->cid_send.day);
- strcat(sdmf1, j->cid_send.hour);
- strcat(sdmf1, j->cid_send.min);
- strcpy(sdmf2, j->cid_send.number);
- strcpy(sdmf3, j->cid_send.name);
+ strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+ strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+ strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+ strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
len1 = strlen(sdmf1);
len2 = strlen(sdmf2);