summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Gang <gang.chen@asianux.com>2013-03-07 18:25:41 +0000
committerDavid S. Miller <davem@davemloft.net>2013-03-08 00:35:44 -0500
commitf39479363e0361c8bb4397481c01a7c3a1a3c8ac (patch)
treeb2619455915812602af6c2f19e84d435d9b8ca7c
parent2e85d67690cf3ea3f074a6e872f675226883fe7f (diff)
downloadlinux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.tar.gz
linux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.tar.bz2
linux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.zip
drivers/isdn: checkng length to be sure not memory overflow
sizeof (cmd.parm.cmsg.para) is 50 (MAX_CAPI_PARA_LEN). sizeof (cmd.parm) is 80+, but less than 100. strlen(msg) may be more than 80+ (Modem-Commandbuffer, less than 255). isdn_tty_send_msg is called by isdn_tty_parse_at the relative parameter is m->mdmcmd (atemu *m) the relative command may be "+M..." so need check the length to be sure not memory overflow. cmd.parm is a union, and need keep original valid buffer length no touch Signed-off-by: Chen Gang <gang.chen@asianux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/isdn/i4l/isdn_tty.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
index d8a7d8323414..ebaebdf30f98 100644
--- a/drivers/isdn/i4l/isdn_tty.c
+++ b/drivers/isdn/i4l/isdn_tty.c
@@ -902,7 +902,9 @@ isdn_tty_send_msg(modem_info *info, atemu *m, char *msg)
int j;
int l;
- l = strlen(msg);
+ l = min(strlen(msg), sizeof(cmd.parm) - sizeof(cmd.parm.cmsg)
+ + sizeof(cmd.parm.cmsg.para) - 2);
+
if (!l) {
isdn_tty_modem_result(RESULT_ERROR, info);
return;