[Suggestion] drivers/staging/telephony: strcpy and strcat, for structure members of PHONE_CID.

Chen Gang gang.chen at asianux.com
Mon Dec 3 03:59:20 UTC 2012


Hello Greg Kroah-Hartman

in drivers/staging/telephony/ixj.c, for function ixj_write_cid:
  it uses strcpy and strcat to copy string from the members of PHONE_CID (line 3193..3198) 
  these members are assigned by user mode (line 6186)
  if these members are not '\0' based string, it will cause issue.

  I find it through code review, and not test it.
  it will be better to find relative maintainers to help checking and testing.

by the way:
  I find some e-mail addresses in the comments of the file ixj.c,
  is it suitable to send this mail to them ?
  if suitable, please tell me, and I will forward this mail to them.

  thanks.

gchen.


 3175 static void ixj_write_cid(IXJ *j)
 3176 {
 3177         char sdmf1[50];
 3178         char sdmf2[50];
 3179         char sdmf3[80];
 3180         char mdmflen, len1, len2, len3;
 3181         int pad;
 3182 
 3183         int checksum = 0;
 3184 
 3185         if (j->dsp.low == 0x20 || j->flags.cidplay)
 3186                 return;
 3187 
 3188         j->fskz = j->fskphase = j->fskcnt = j->fskdcnt = 0;
 3189         j->cidsize = j->cidcnt = 0;
 3190 
 3191         ixj_fsk_alloc(j);
 3192 
 3193         strcpy(sdmf1, j->cid_send.month);
 3194         strcat(sdmf1, j->cid_send.day);
 3195         strcat(sdmf1, j->cid_send.hour);
 3196         strcat(sdmf1, j->cid_send.min);
 3197         strcpy(sdmf2, j->cid_send.number);
 3198         strcpy(sdmf3, j->cid_send.name);
 3199 
 ...

 6184         case PHONE_RING_START:
 6185                 if(arg) {
 6186                         if (copy_from_user(&j->cid_send, argp, sizeof(PHONE_CID))) {
 6187                                 retval = -EFAULT;
 6188                                 break;
 6189                         }
 6190                         ixj_write_cid(j);
 6191                 } else {
 6192                         memset(&j->cid_send, 0, sizeof(PHONE_CID));
 6193                 }
 6194                 ixj_ring_start(j);
 6195                 break;


-- 
Chen Gang

Asianux Corporation



More information about the devel mailing list