From: Dan Carpenter > There are three buffer overflows addressed in this patch. ... > 2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60 > character buffer so we have 54 characters. The ->eazlist[] is 11 > characters long. I have modified the code to return if the source > buffer is too long. ... > @@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card) > case 7: > /* 0x;EAZ */ > p += 3; > + if (strlen(p) >= sizeof(card->eazlist[0])) > + break; > strcpy(card->eazlist[ch - 1], p); > break; > case 8: If you've done the strlen() you might as well use memcpy(). There are also functions that will do a bounded strlen(), (eg memchr()). David -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
