2.6.22-stable review patch. If anyone has any objections, please let us know. ------------------ From: Karsten Keil patch eafe1aa37e6ec2d56f14732b5240c4dd09f0613a in mainline. Fix possible memory overrun issue in the isdn ioctl code. Found by ADLAB Signed-off-by: Karsten Keil Cc: ADLAB Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- drivers/isdn/i4l/isdn_common.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/isdn/i4l/isdn_common.c +++ b/drivers/isdn/i4l/isdn_common.c @@ -1514,6 +1514,7 @@ isdn_ioctl(struct inode *inode, struct f if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) return -EFAULT; + iocts.drvid[sizeof(iocts.drvid)-1] = 0; if (strlen(iocts.drvid)) { if ((p = strchr(iocts.drvid, ','))) *p = 0; @@ -1598,6 +1599,7 @@ isdn_ioctl(struct inode *inode, struct f if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) return -EFAULT; + iocts.drvid[sizeof(iocts.drvid)-1] = 0; if (strlen(iocts.drvid)) { drvidx = -1; for (i = 0; i < ISDN_MAX_DRIVERS; i++) @@ -1642,7 +1644,7 @@ isdn_ioctl(struct inode *inode, struct f } else { p = (char __user *) iocts.arg; for (i = 0; i < 10; i++) { - sprintf(bname, "%s%s", + snprintf(bname, sizeof(bname), "%s%s", strlen(dev->drv[drvidx]->msn2eaz[i]) ? dev->drv[drvidx]->msn2eaz[i] : "_", (i < 9) ? "," : "\0"); @@ -1672,6 +1674,7 @@ isdn_ioctl(struct inode *inode, struct f char *p; if (copy_from_user(&iocts, argp, sizeof(isdn_ioctl_struct))) return -EFAULT; + iocts.drvid[sizeof(iocts.drvid)-1] = 0; if (strlen(iocts.drvid)) { if ((p = strchr(iocts.drvid, ','))) *p = 0; -- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/