staging: comedi: fix infoleak to userspace driver_name and board_name are pointers to strings, not buffers of size COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

commit: 819cbb120eaec7e014e5abd029260db1ca8c5735 [log] [tgz]
author: Vasiliy Kulikov <segoon@openwall.com> Sun Jun 26 12:56:22 2011 +0400
committer: Greg Kroah-Hartman <gregkh@suse.de> Tue Jul 05 09:24:18 2011 -0700
tree: 4f669b6161eca72a3b1feace6edb14beb1e9cc24
parent: 85678d5d27cb0ea1005316f51b1b062bf4609b66 [diff] [blame]
diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
index 15a209f..419976b 100644
--- a/drivers/staging/comedi/comedi_fops.c
+++ b/drivers/staging/comedi/comedi_fops.c

@@ -383,8 +383,8 @@
 	/* fill devinfo structure */
 	devinfo.version_code = COMEDI_VERSION_CODE;
 	devinfo.n_subdevs = dev->n_subdevices;
-	memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
-	memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
+	strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN);
+	strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN);
 
 	if (read_subdev)
 		devinfo.read_subdevice = read_subdev - dev->subdevices;
commit	819cbb120eaec7e014e5abd029260db1ca8c5735	[log] [tgz]
author	Vasiliy Kulikov <segoon@openwall.com>	Sun Jun 26 12:56:22 2011 +0400
committer	Greg Kroah-Hartman <gregkh@suse.de>	Tue Jul 05 09:24:18 2011 -0700
tree	4f669b6161eca72a3b1feace6edb14beb1e9cc24
parent	85678d5d27cb0ea1005316f51b1b062bf4609b66 [diff] [blame]