From 77bc6bed7121936bb2e019a8c336075f4c8eef62 Mon Sep 17 00:00:00 2001 From: =?utf8?q?YOSHIFUJI=20Hideaki=20/=20=E5=90=89=E8=97=A4=E8=8B=B1?= =?utf8?q?=E6=98=8E?= Date: Wed, 2 Apr 2014 12:48:42 +0900 Subject: [PATCH] isdnloop: Validate NUL-terminated strings from user. Return -EINVAL unless all of user-given strings are correctly NUL-terminated. Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- drivers/isdn/isdnloop/isdnloop.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c index 02125e6a9109..e1f8748ff25d 100644 --- a/drivers/isdn/isdnloop/isdnloop.c +++ b/drivers/isdn/isdnloop/isdnloop.c @@ -1070,6 +1070,12 @@ isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp) return -EBUSY; if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef))) return -EFAULT; + + for (i = 0; i < 3; i++) { + if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i]))) + return -EINVAL; + } + spin_lock_irqsave(&card->isdnloop_lock, flags); switch (sdef.ptype) { case ISDN_PTYPE_EURO: -- 2.20.1