diff options
author | Chen Gang <gang.chen@asianux.com> | 2013-03-07 18:25:41 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2013-03-08 00:35:44 -0500 |
commit | f39479363e0361c8bb4397481c01a7c3a1a3c8ac (patch) | |
tree | b2619455915812602af6c2f19e84d435d9b8ca7c | |
parent | 2e85d67690cf3ea3f074a6e872f675226883fe7f (diff) | |
download | linux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.tar.gz linux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.tar.bz2 linux-f39479363e0361c8bb4397481c01a7c3a1a3c8ac.zip |
drivers/isdn: checkng length to be sure not memory overflow
sizeof (cmd.parm.cmsg.para) is 50 (MAX_CAPI_PARA_LEN).
sizeof (cmd.parm) is 80+, but less than 100.
strlen(msg) may be more than 80+ (Modem-Commandbuffer, less than 255).
isdn_tty_send_msg is called by isdn_tty_parse_at
the relative parameter is m->mdmcmd (atemu *m)
the relative command may be "+M..."
so need check the length to be sure not memory overflow.
cmd.parm is a union, and need keep original valid buffer length no touch
Signed-off-by: Chen Gang <gang.chen@asianux.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | drivers/isdn/i4l/isdn_tty.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c index d8a7d8323414..ebaebdf30f98 100644 --- a/drivers/isdn/i4l/isdn_tty.c +++ b/drivers/isdn/i4l/isdn_tty.c @@ -902,7 +902,9 @@ isdn_tty_send_msg(modem_info *info, atemu *m, char *msg) int j; int l; - l = strlen(msg); + l = min(strlen(msg), sizeof(cmd.parm) - sizeof(cmd.parm.cmsg) + + sizeof(cmd.parm.cmsg.para) - 2); + if (!l) { isdn_tty_modem_result(RESULT_ERROR, info); return; |