isdn: icn: buffer overflow in icn_command()
authorDan Carpenter <dan.carpenter@oracle.com>
Wed, 16 Apr 2014 11:25:16 +0000 (14:25 +0300)
committerDavid S. Miller <davem@davemloft.net>
Wed, 16 Apr 2014 19:24:15 +0000 (15:24 -0400)
This buffer over was detected using static analysis:

drivers/isdn/icn/icn.c:1325 icn_command()
error: format string overflow. buf_size: 60 length: 98

The calculation for the length of the string is off because it assumes
that the dial[] buffer holds a 50 character string, but actually it is
at most 31 characters and NUL.  I have removed the dial[] buffer because
it isn't needed.

The maximum length of the string is actually 79 characters and a NUL.  I
have made the cbuf[] array large enough to hold it and changed the
sprintf() to an snprintf() as a further safety enhancement.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/isdn/icn/icn.c

index 53d487f0c79ddf9b4dc605a8c8beebb8dcdd92f3..6a7447c304acc39e6edc422bf8f6533acfde93b5 100644 (file)
@@ -1155,7 +1155,7 @@ icn_command(isdn_ctrl *c, icn_card *card)
        ulong a;
        ulong flags;
        int i;
-       char cbuf[60];
+       char cbuf[80];
        isdn_ctrl cmd;
        icn_cdef cdef;
        char __user *arg;
@@ -1309,7 +1309,6 @@ icn_command(isdn_ctrl *c, icn_card *card)
                        break;
                if ((c->arg & 255) < ICN_BCH) {
                        char *p;
-                       char dial[50];
                        char dcode[4];
 
                        a = c->arg;
@@ -1321,10 +1320,10 @@ icn_command(isdn_ctrl *c, icn_card *card)
                        } else
                                /* Normal Dial */
                                strcpy(dcode, "CAL");
-                       strcpy(dial, p);
-                       sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
-                               dcode, dial, c->parm.setup.si1,
-                               c->parm.setup.si2, c->parm.setup.eazmsn);
+                       snprintf(cbuf, sizeof(cbuf),
+                                "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
+                                dcode, p, c->parm.setup.si1,
+                                c->parm.setup.si2, c->parm.setup.eazmsn);
                        i = icn_writecmd(cbuf, strlen(cbuf), 0, card);
                }
                break;