diff mbox

[3.11.y.z,extended,stable] Patch "isdnloop: Validate NUL-terminated strings from user." has been added to staging queue

Message ID 874n205a07.fsf@canonical.com
State New
Headers show

Commit Message

Luis Henriques April 11, 2014, 12:24 p.m. UTC 
Luis Henriques <luis.henriques@canonical.com> writes:

> This is a note to let you know that I have just added a patch titled
>
>     isdnloop: Validate NUL-terminated strings from user.
>
> to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree 
> which can be found at:
>
>  http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.11.y-queue
>
> If you, or anyone else, feels it should not be added to this tree, please 
> reply to this email.
>
> For more information about the 3.11.y.z tree, see
> https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable
>
> Thanks.
> -Luis
>
> ------

Ups, looks like I've a bug in my scripts and the actual patch wasn't
appended.  The patch that has been queued for the 3.11 kernel is the
one below.

Cheers,
diff mbox

Patch

diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
index 02125e6..e1f8748 100644
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -1070,6 +1070,12 @@  isdnloop_start(isdnloop_card *card, isdnloop_sdef *sdefp)
 		return -EBUSY;
 	if (copy_from_user((char *) &sdef, (char *) sdefp, sizeof(sdef)))
 		return -EFAULT;
+
+	for (i = 0; i < 3; i++) {
+		if (!memchr(sdef.num[i], 0, sizeof(sdef.num[i])))
+			return -EINVAL;
+	}
+
 	spin_lock_irqsave(&card->isdnloop_lock, flags);
 	switch (sdef.ptype) {
 	case ISDN_PTYPE_EURO: