This is a note to let you know that I've just added the patch titled isdn/i4l: fix buffer overflow to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: isdn-i4l-fix-buffer-overflow.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 9f5af546e6acc30f075828cb58c7f09665033967 Mon Sep 17 00:00:00 2001 From: Annie Cherkaev <annie.cherk@xxxxxxxxx> Date: Sat, 15 Jul 2017 15:08:58 -0600 Subject: isdn/i4l: fix buffer overflow From: Annie Cherkaev <annie.cherk@xxxxxxxxx> commit 9f5af546e6acc30f075828cb58c7f09665033967 upstream. This fixes a potential buffer overflow in isdn_net.c caused by an unbounded strcpy. [ ISDN seems to be effectively unmaintained, and the I4L driver in particular is long deprecated, but in case somebody uses this.. - Linus ] Signed-off-by: Jiten Thakkar <jitenmt@xxxxxxxxx> Signed-off-by: Annie Cherkaev <annie.cherk@xxxxxxxxx> Cc: Karsten Keil <isdn@xxxxxxxxxxxxxx> Cc: Kees Cook <keescook@xxxxxxxxxxxx> Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/isdn/i4l/isdn_common.c | 1 + drivers/isdn/i4l/isdn_net.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) --- a/drivers/isdn/i4l/isdn_common.c +++ b/drivers/isdn/i4l/isdn_common.c @@ -1379,6 +1379,7 @@ isdn_ioctl(struct file *file, uint cmd, if (arg) { if (copy_from_user(bname, argp, sizeof(bname) - 1)) return -EFAULT; + bname[sizeof(bname)-1] = 0; } else return -EINVAL; ret = mutex_lock_interruptible(&dev->mtx); --- a/drivers/isdn/i4l/isdn_net.c +++ b/drivers/isdn/i4l/isdn_net.c @@ -2611,10 +2611,9 @@ isdn_net_newslave(char *parm) char newname[10]; if (p) { - /* Slave-Name MUST not be empty */ - if (!strlen(p + 1)) + /* Slave-Name MUST not be empty or overflow 'newname' */ + if (strscpy(newname, p + 1, sizeof(newname)) <= 0) return NULL; - strcpy(newname, p + 1); *p = 0; /* Master must already exist */ if (!(n = isdn_net_findif(parm))) Patches currently in stable-queue which might be from annie.cherk@xxxxxxxxx are queue-4.4/isdn-i4l-fix-buffer-overflow.patch