On Wed, Nov 23, 2011 at 09:25:56AM +0100, walter harms wrote: > > > Am 23.11.2011 07:42, schrieb Dan Carpenter: > > These strings come from the user. We strcpy() them inside > > cf_command() so we should check that they are NULL terminated and > > return an error if not. > > > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > > > diff --git a/drivers/isdn/divert/divert_procfs.c b/drivers/isdn/divert/divert_procfs.c > > index 33ec9e4..0c16687 100644 > > --- a/drivers/isdn/divert/divert_procfs.c > > +++ b/drivers/isdn/divert/divert_procfs.c > > @@ -242,6 +242,10 @@ static int isdn_divert_ioctl_unlocked(struct file *file, uint cmd, ulong arg) > > case IIOCDOCFINT: > > if (!divert_if.drv_to_name(dioctl.cf_ctrl.drvid)) > > return (-EINVAL); /* invalid driver */ > > + if (strlen(dioctl.cf_ctrl.msn) >= sizeof(dioctl.cf_ctrl.msn)) > > + return -EINVAL; > > + if (strlen(dioctl.cf_ctrl.fwd_nr) >= sizeof(dioctl.cf_ctrl.fwd_nr)) > > + return -EINVAL; > > forcing the last field to be zero seems more easy. > dioctl.cf_ctrl.fwd_nr[sizeof(dioctl.cf_ctrl.fwd_nr))-1]=0; > That's a valid option to use, but I'd prefer to return an error code here because that's what we do on the line before. Passing a too long string is clearly invalid. regards, dan carpenter
Attachment:
signature.asc
Description: Digital signature
