tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

isdn: potential buffer overflows

cs->ics.parm.setup.phone is a 32 character array. In each of these
cases we're copying from a 35 character array into a 32 character array
so we should use strlcpy() instead of strcpy().

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by
David S. Miller 017d79ef ca1cef3a

+3 -3
+3 -3
drivers/isdn/divert/isdn_divert.c
··· 77 77 78 78 case DEFLECT_ALERT: 79 79 cs->ics.command = ISDN_CMD_REDIR; /* protocol */ 80 - strcpy(cs->ics.parm.setup.phone,cs->deflect_dest); 80 + strlcpy(cs->ics.parm.setup.phone, cs->deflect_dest, sizeof(cs->ics.parm.setup.phone)); 81 81 strcpy(cs->ics.parm.setup.eazmsn,"Testtext delayed"); 82 82 divert_if.ll_cmd(&cs->ics); 83 83 spin_lock_irqsave(&divert_lock, flags); ··· 251 251 252 252 case 2: /* redir */ 253 253 del_timer(&cs->timer); 254 - strcpy(cs->ics.parm.setup.phone, to_nr); 254 + strlcpy(cs->ics.parm.setup.phone, to_nr, sizeof(cs->ics.parm.setup.phone)); 255 255 strcpy(cs->ics.parm.setup.eazmsn, "Testtext manual"); 256 256 ic.command = ISDN_CMD_REDIR; 257 257 if ((i = divert_if.ll_cmd(&ic))) ··· 480 480 if (!cs->timer.expires) 481 481 { strcpy(ic->parm.setup.eazmsn,"Testtext direct"); 482 482 ic->parm.setup.screen = dv->rule.screen; 483 - strcpy(ic->parm.setup.phone,dv->rule.to_nr); 483 + strlcpy(ic->parm.setup.phone, dv->rule.to_nr, sizeof(ic->parm.setup.phone)); 484 484 cs->akt_state = DEFLECT_AUTODEL; /* delete after timeout */ 485 485 cs->timer.expires = jiffies + (HZ * AUTODEL_TIME); 486 486 retval = 5;