forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers
History
Dan Carpenter ef533ea1fd isdnloop: several buffer overflows 
[ Upstream commit 7563487cbf ]

There are three buffer overflows addressed in this patch.

1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
then copy it into a 60 character buffer.  I have made the destination
buffer 64 characters and I'm changed the sprintf() to a snprintf().

2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
character buffer so we have 54 characters.  The ->eazlist[] is 11
characters long.  I have modified the code to return if the source
buffer is too long.

3) In isdnloop_command() the cbuf[] array was 60 characters long but the
max length of the string then can be up to 79 characters.  I made the
cbuf array 80 characters long and changed the sprintf() to snprintf().
I also removed the temporary "dial" buffer and changed it to use "p"
directly.

Unfortunately, we pass the "cbuf" string from isdnloop_command() to
isdnloop_writecmd() which truncates anything over 60 characters to make
it fit in card->omsg[].  (It can accept values up to 255 characters so
long as there is a '\n' character every 60 characters).  For now I have
just fixed the memory corruption bug and left the other problems in this
driver alone.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-04-14 06:42:18 -07:00
..
accessibility
acpi ACPI / sleep: Add extra checks for HW Reduced ACPI mode sleep states 2014-03-23 21:38:17 -07:00
amba
ata libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus SpinPoint M8 (2BA30001) 2014-03-23 21:38:16 -07:00
atm atm: idt77252: fix dev refcnt leak 2013-12-08 07:29:25 -08:00
auxdisplay
base PM / runtime: Use pm_runtime_put_sync() in __device_release_driver() 2013-12-04 10:56:59 -08:00
bcma
block mm: close PageTail race 2014-04-03 12:01:05 -07:00
bluetooth Bluetooth: Add support for BCM20702A0 [0b05, 17cb] 2013-10-13 16:08:32 -07:00
bus
cdrom drivers/cdrom/cdrom.c: use kzalloc() for failing hardware 2013-07-13 11:42:26 -07:00
char raw: test against runtime value of max_raw_minors 2014-02-22 12:41:27 -08:00
clk clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks 2014-01-15 15:28:52 -08:00
clocksource clocksource: em_sti: Set cpu_possible_mask to fix SMP broadcast 2014-01-15 15:28:45 -08:00
connector connector: improved unaligned access error fix 2013-12-08 07:29:25 -08:00
cpufreq powernow-k6: reorder frequencies 2014-04-14 06:42:14 -07:00
cpuidle cpuidle: Check the result of cpuidle_get_driver() against NULL 2014-04-14 06:42:15 -07:00
crypto crypto: caam - Fixed the memory out of bound overwrite issue 2013-08-04 16:50:57 +08:00
dca
devfreq
dio
dma ioat: fix tasklet tear down 2014-03-06 21:30:14 -08:00
edac i7300_edac: Fix device reference count 2014-03-06 21:30:13 -08:00
eisa Revert "EISA: Initialize device before its resources" 2014-02-13 13:47:59 -08:00
extcon
firewire firewire: don't use PREPARE_DELAYED_WORK 2014-03-23 21:38:16 -07:00
firmware dmi: add support for exact DMI matches in addition to substring matching 2013-11-29 11:11:53 -08:00
gpio gpio-rcar: R-Car GPIO IRQ share interrupt 2014-01-15 15:28:45 -08:00
gpu drm/radeon/atom: select the proper number of lanes in transmitter setup 2014-03-23 21:38:17 -07:00
hid HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" 2014-01-15 15:28:45 -08:00
hsi
hv Drivers: hv: vmbus: Don't timeout during the initial connection with host 2014-02-22 12:41:28 -08:00
hwmon hwmon: (max1668) Fix writing the minimum temperature 2014-03-06 21:30:11 -08:00
hwspinlock
i2c i2c: i801: SMBus patch for Intel Coleto Creek DeviceIDs 2014-02-13 13:48:03 -08:00
ide
idle x86 idle: Repair large-server 50-watt idle-power regression 2014-01-09 12:24:21 -08:00
iio iio:gyro: bug on L3GD20H gyroscope support 2014-03-06 21:30:11 -08:00
infiniband iser-target: Fix post_send_buf_count for RDMA READ/WRITE 2014-03-23 21:38:22 -07:00
input Input: cypress_ps2 - don't report as a button pads 2014-04-03 12:01:04 -07:00
iommu intel-iommu: fix off-by-one in pagetable freeing 2014-02-13 13:47:59 -08:00
ipack
irqchip irq-metag*: stop set_affinity vectoring to offline cpus 2014-03-06 21:30:12 -08:00
isdn isdnloop: several buffer overflows 2014-04-14 06:42:18 -07:00
leds leds: wm831x-status: Request a REG resource 2013-09-26 17:18:27 -07:00
lguest
macintosh powerpc/windfarm: Fix noisy slots-fan on Xserve (rm31) 2013-08-11 18:35:20 -07:00
mailbox
md dm cache: fix access beyond end of origin device 2014-03-23 21:38:18 -07:00
media media: cx18: check for allocation failure in cx18_read_eeprom() 2014-03-31 09:58:12 -07:00
memory
memstick
message
mfd mfd: lpc_ich: iTCO_wdt patch for Intel Coleto Creek DeviceIDs 2014-02-13 13:48:03 -08:00
misc mei: set client's read_cb to NULL when flow control fails 2014-03-06 21:30:10 -08:00
mmc mmc: atmel-mci: fix timeout errors in SDIO mode when using DMA 2014-02-13 13:48:00 -08:00
mtd mtd: mxc_nand: remove duplicated ecc_stats counting 2014-02-13 13:48:00 -08:00
net xen-netback: remove pointless clause from if statement 2014-04-14 06:42:18 -07:00
nfc
ntb NTB: Correct debugfs to work with more than 1 NTB Device 2013-11-13 12:05:35 +09:00
nubus
of of: fix PCI bus match for PCIe slots 2014-02-22 12:41:27 -08:00
oprofile
parisc parisc: Fix interrupt routing for C8000 serial ports 2013-08-11 18:35:21 -07:00
parport parport: parport_pc: remove double PCI ID for NetMos 2014-02-06 11:08:15 -08:00
pci PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not enabled 2014-03-23 21:38:18 -07:00
pcmcia pcmcia: at91_cf: fix gpio_get_value in at91_cf_get_status 2013-07-21 18:21:25 -07:00
pinctrl pinctrl: protect pinctrl_list add 2014-02-20 11:06:11 -08:00
platform hp_accel: Add a new PnP ID HPQ6007 for new HP laptops 2014-02-06 11:08:16 -08:00
pnp PNP / ACPI: proper handling of ACPI IO/Memory resource parsing failures 2014-03-23 21:38:22 -07:00
power power: max17040: Fix NULL pointer dereference when there is no platform_data 2014-02-22 12:41:29 -08:00
pps
ps3
ptp ptp_pch: fix error handling in pch_probe() 2013-05-25 21:24:15 -07:00
pwm
rapidio rapidio/tsi721: fix tasklet termination in dma channel release 2014-03-23 21:38:09 -07:00
regulator regulator: core: Replace direct ops->disable usage 2014-03-31 09:58:13 -07:00
remoteproc
reset
rpmsg
rtc rtc-cmos: Add an alarm disable quirk 2014-02-13 13:48:03 -08:00
s390 s390/dasd: hold request queue sysfs lock when calling elevator_init() 2014-03-23 21:38:20 -07:00
sbus
scsi SCSI: storvsc: NULL pointer dereference fix 2014-03-23 21:38:19 -07:00
sfi
sh
sn
spi spi: spi-ath79: fix initial GPIO CS line setup 2014-03-23 21:38:16 -07:00
ssb
ssbi
staging staging: binder: Fix death notifications 2014-03-06 21:30:11 -08:00
target iscsi/iser-target: Fix isert_conn->state hung shutdown issues 2014-03-23 21:38:21 -07:00
tc
thermal
tty vt: Fix secure clear screen 2014-02-22 12:41:27 -08:00
uio Fix a few incorrectly checked [io_]remap_pfn_range() calls 2013-11-13 12:05:33 +09:00
usb xhci: Fix resume issues on Renesas chips in Samsung laptops 2014-03-31 09:58:14 -07:00
uwb
vfio mm: close PageTail race 2014-04-03 12:01:05 -07:00
vhost vhost: validate vhost_get_vq_desc return value 2014-04-14 06:42:18 -07:00
video video: kyro: fix incorrect sizes when copying to userspace 2013-12-08 07:29:27 -08:00
virt
virtio virtio: support unlocked queue poll 2013-07-28 16:29:55 -07:00
vlynq
vme VME: Correct read/write alignment algorithm 2014-02-22 12:41:28 -08:00
w1
watchdog sc1200_wdt: Fix oops 2013-12-20 07:45:11 -08:00
xen xen/gnttab: leave lazy MMU mode in the case of a m2p override failure 2013-12-11 22:36:27 -08:00
zorro
Kconfig
Makefile