Patch "telephony: ijx: buffer overflow in ixj_write_cid()" has been added to the 3.7-stable tree

Tue, 11 Dec 2012 13:38:55 -0800 

This is a note to let you know that I've just added the patch titled

    telephony: ijx: buffer overflow in ixj_write_cid()

to the 3.7-stable tree which can be found at:
    
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     telephony-ijx-buffer-overflow-in-ixj_write_cid.patch
and it can be found in the queue-3.7 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <[email protected]> know about it.


>From [email protected]  Tue Dec 11 13:26:39 2012
From: Dan Carpenter <[email protected]>
Date: Mon, 3 Dec 2012 22:05:12 +0300
Subject: telephony: ijx: buffer overflow in ixj_write_cid()
To: Greg Kroah-Hartman <[email protected]>
Message-ID: <[email protected]>

[Not needed in 3.8 or newer as this driver is removed there. - gregkh]

We get this from user space and nothing has been done to ensure that
these strings are NUL terminated.

Reported-by: Chen Gang <[email protected]>
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 drivers/staging/telephony/ixj.c |   24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

--- a/drivers/staging/telephony/ixj.c
+++ b/drivers/staging/telephony/ixj.c
@@ -3190,12 +3190,12 @@ static void ixj_write_cid(IXJ *j)
 
        ixj_fsk_alloc(j);
 
-       strcpy(sdmf1, j->cid_send.month);
-       strcat(sdmf1, j->cid_send.day);
-       strcat(sdmf1, j->cid_send.hour);
-       strcat(sdmf1, j->cid_send.min);
-       strcpy(sdmf2, j->cid_send.number);
-       strcpy(sdmf3, j->cid_send.name);
+       strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+       strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+       strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
 
        len1 = strlen(sdmf1);
        len2 = strlen(sdmf2);
@@ -3340,12 +3340,12 @@ static void ixj_write_cidcw(IXJ *j)
                ixj_pre_cid(j);
        }
        j->flags.cidcw_ack = 0;
-       strcpy(sdmf1, j->cid_send.month);
-       strcat(sdmf1, j->cid_send.day);
-       strcat(sdmf1, j->cid_send.hour);
-       strcat(sdmf1, j->cid_send.min);
-       strcpy(sdmf2, j->cid_send.number);
-       strcpy(sdmf3, j->cid_send.name);
+       strlcpy(sdmf1, j->cid_send.month, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.day, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.hour, sizeof(sdmf1));
+       strlcat(sdmf1, j->cid_send.min, sizeof(sdmf1));
+       strlcpy(sdmf2, j->cid_send.number, sizeof(sdmf2));
+       strlcpy(sdmf3, j->cid_send.name, sizeof(sdmf3));
 
        len1 = strlen(sdmf1);
        len2 = strlen(sdmf2);


Patches currently in stable-queue which might be from [email protected] 
are

queue-3.7/telephony-ijx-buffer-overflow-in-ixj_write_cid.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to