[ 111/143] isdnloop: Validate NUL-terminated strings from user.

From: Willy Tarreau
Date: Sun May 11 2014 - 21:56:24 EST

Next message: Willy Tarreau: "[ 073/143] net: Fix "ip rule delete table 256""
Previous message: Willy Tarreau: "[ 078/143] ipv4: fix possible seqlock deadlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.32-longterm review patch. If anyone has any objections, please let me know.

------------------

From: YOSHIFUJI Hideaki <yoshfuji@xxxxxxxxxxxxxx>

[ Upstream commit 77bc6bed7121936bb2e019a8c336075f4c8eef62 ]

Return -EINVAL unless all of user-given strings are correctly
NUL-terminated.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@xxxxxxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Willy Tarreau <w@xxxxxx>
---
drivers/isdn/isdnloop/isdnloop.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
index bf4168b..4267d48 100644
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -1071,6 +1071,12 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
return -EBUSY;
if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
return -EFAULT;
+
+ for (i = 0; i < 3; i++) {
+ if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i])))
+ return -EINVAL;
+ }
+
spin_lock_irqsave(&card->isdnloop_lock, flags);
switch (sdef.ptype) {
case ISDN_PTYPE_EURO:
--
1.7.12.2.21.g234cd45.dirty

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy Tarreau: "[ 073/143] net: Fix "ip rule delete table 256""
Previous message: Willy Tarreau: "[ 078/143] ipv4: fix possible seqlock deadlock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]