Vegard Nossum wrote: > Both the in-kernel and BSD strlcpy() require that the source string is > NUL terminated. We could use strncpy() + explicitly terminate the result, > but this relies on src and dest having the same size, so the safest thing > to do seems to explicitly terminate the source string before doing the > strlcpy(). : > diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c > index 02125e6..50cd348 100644 > --- a/drivers/isdn/isdnloop/isdnloop.c > +++ b/drivers/isdn/isdnloop/isdnloop.c > @@ -1070,6 +1070,14 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) > return -EBUSY; > if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) > return -EFAULT; > + > + /* > + * Null terminate strings from userspace so we don't have to worry > + * about this later on. > + */ > + for (i = 0; i < 3; i++) > + sdef.num[i][sizeof(sdef.num[0]) - 1] = '\0'; > + Why don't we return -EINVAL if it is not correctly terminated by NUL? --yoshfuji -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html