- i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch removed from -mm tree

akpm@xxxxxxxxxxxxxxxxxxxx · Mon, 03 Dec 2007 23:37:24 -0800

The patch titled
     I4L: fix isdn_ioctl memory overrun vulnerability
has been removed from the -mm tree.  Its filename was
     i4l-fix-isdn_ioctl-memory-overrun-vulnerability.patch

This patch was dropped because it was merged into mainline or a subsystem tree

------------------------------------------------------
Subject: I4L: fix isdn_ioctl memory overrun vulnerability
From: Karsten Keil <kkeil@xxxxxxx>

Fix possible memory overrun issue in the isdn ioctl code.  Found by ADLAB
<adlab@xxxxxxxxxxxxxxxx>

Signed-off-by: Karsten Keil <kkeil@xxxxxxx>
Cc: ADLAB <adlab@xxxxxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 drivers/isdn/i4l/isdn_common.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff -puN drivers/isdn/i4l/isdn_common.c~i4l-fix-isdn_ioctl-memory-overrun-vulnerability drivers/isdn/i4l/isdn_common.c

--- a/drivers/isdn/i4l/isdn_common.c~i4l-fix-isdn_ioctl-memory-overrun-vulnerability
+++ a/drivers/isdn/i4l/isdn_common.c
@@ -1515,6 +1515,7 @@ isdn_ioctl(struct inode *inode, struct f
 					if (copy_from_user(&iocts, argp,
 					     sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						if ((p = strchr(iocts.drvid, ',')))
 							*p = 0;
@@ -1599,6 +1600,7 @@ isdn_ioctl(struct inode *inode, struct f
 					if (copy_from_user(&iocts, argp,
 					     sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						drvidx = -1;
 						for (i = 0; i < ISDN_MAX_DRIVERS; i++)
@@ -1643,7 +1645,7 @@ isdn_ioctl(struct inode *inode, struct f
 					} else {
 						p = (char __user *) iocts.arg;
 						for (i = 0; i < 10; i++) {
-							sprintf(bname, "%s%s",
+							snprintf(bname, sizeof(bname), "%s%s",
 								strlen(dev->drv[drvidx]->msn2eaz[i]) ?
 								dev->drv[drvidx]->msn2eaz[i] : "_",
 								(i < 9) ? "," : "\0");
@@ -1673,6 +1675,7 @@ isdn_ioctl(struct inode *inode, struct f
 					char *p;
 					if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct)))
 						return -EFAULT;
+					iocts.drvid[sizeof(iocts.drvid)-1] = 0;
 					if (strlen(iocts.drvid)) {
 						if ((p = strchr(iocts.drvid, ',')))
 							*p = 0;
_

Patches currently in -mm which might be from kkeil@xxxxxxx are

fix-versus-precedence-in-various-places.patch
remove-warnings-for-longstanding-conditions-fix.patch
remove-pointless-casts-from-void-pointers.patch
cleanup-after-apus-removal.patch
gigaset-clean-up-urb-status-usage.patch
gigaset-code-cleanups.patch
bas_gigaset-suspend-support-v2.patch
usb_gigaset-suspend-support-v3.patch
gigaset-permit-module-unload.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




