Hello Greg Kroah-Hartman
in drivers/staging/telephony/ixj.c, for function ixj_write_cid:
it uses strcpy and strcat to copy string from the members of PHONE_CID (line 3193..3198)
these members are assigned by user mode (line 6186)
if these members are not '\0' based string, it will cause issue.
I find it through code review, and not test it.
it will be better to find relative maintainers to help checking and testing.
by the way:
I find some e-mail addresses in the comments of the file ixj.c,
is it suitable to send this mail to them ?
if suitable, please tell me, and I will forward this mail to them.
thanks.
gchen.
3175 static void ixj_write_cid(IXJ *j)
3176 {
3177 char sdmf1[50];
3178 char sdmf2[50];
3179 char sdmf3[80];
3180 char mdmflen, len1, len2, len3;
3181 int pad;
3182
3183 int checksum = 0;
3184
3185 if (j->dsp.low == 0x20 || j->flags.cidplay)
3186 return;
3187
3188 j->fskz = j->fskphase = j->fskcnt = j->fskdcnt = 0;
3189 j->cidsize = j->cidcnt = 0;
3190
3191 ixj_fsk_alloc(j);
3192
3193 strcpy(sdmf1, j->cid_send.month);
3194 strcat(sdmf1, j->cid_send.day);
3195 strcat(sdmf1, j->cid_send.hour);
3196 strcat(sdmf1, j->cid_send.min);
3197 strcpy(sdmf2, j->cid_send.number);
3198 strcpy(sdmf3, j->cid_send.name);
3199
...
6184 case PHONE_RING_START:
6185 if(arg) {
6186 if (copy_from_user(&j->cid_send, argp, sizeof(PHONE_CID))) {
6187 retval = -EFAULT;
6188 break;
6189 }
6190 ixj_write_cid(j);
6191 } else {
6192 memset(&j->cid_send, 0, sizeof(PHONE_CID));
6193 }
6194 ixj_ring_start(j);
6195 break;
--
Chen Gang
Asianux Corporation
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel
