isdn: icn: buffer overflow in icn_command()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

This buffer over was detected using static analysis:

drivers/isdn/icn/icn.c:1325 icn_command()
error: format string overflow. buf_size: 60 length: 98

The calculation for the length of the string is off because it assumes
that the dial[] buffer holds a 50 character string, but actually it is
at most 31 characters and NUL. I have removed the dial[] buffer because
it isn't needed.

The maximum length of the string is actually 79 characters and a NUL. I
have made the cbuf[] array large enough to hold it and changed the
sprintf() to an snprintf() as a further safety enhancement.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Dan Carpenter and committed by

David S. Miller 12 years ago b7a31405 74462f0d

+5 -6

1 changed file

expand all

drivers

isdn

icn

icn.c

+5 -6

drivers/isdn/icn/icn.c

··· 1155 1155 ulong a; 1156 1156 ulong flags; 1157 1157 int i; 1158 - char cbuf[60]; 1158 + char cbuf[80]; 1159 1159 isdn_ctrl cmd; 1160 1160 icn_cdef cdef; 1161 1161 char __user *arg; ··· 1309 1309 break; 1310 1310 if ((c->arg & 255) < ICN_BCH) { 1311 1311 char *p; 1312 - char dial[50]; 1313 1312 char dcode[4]; 1314 1313 1315 1314 a = c->arg; ··· 1320 1321 } else 1321 1322 /* Normal Dial */ 1322 1323 strcpy(dcode, "CAL"); 1323 - strcpy(dial, p); 1324 - sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), 1325 - dcode, dial, c->parm.setup.si1, 1326 - c->parm.setup.si2, c->parm.setup.eazmsn); 1324 + snprintf(cbuf, sizeof(cbuf), 1325 + "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1), 1326 + dcode, p, c->parm.setup.si1, 1327 + c->parm.setup.si2, c->parm.setup.eazmsn); 1327 1328 i = icn_writecmd(cbuf, strlen(cbuf), 0, card); 1328 1329 } 1329 1330 break;