isdnloop: use strlcpy() instead of strcpy()

[ Upstream commit f9a23c84486ed350cce7bb1b2828abd1f6658796 ]

These strings come from a copy_from_user() and there is no way to be
sure they are NUL terminated.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
index 22446f777d67f2a0fb66b6fc0f01db91e937dd4d..92d895f282a74c31b237da98113bb8b9dba29318 100644 (file)
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -1082,8 +1082,10 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
                                spin_unlock_irqrestore(&card->isdnloop_lock, flags);
                                return -ENOMEM;
                        }
-                       for (i = 0; i < 3; i++)
-                               strcpy(card->s0num[i], sdef.num[i]);
+                       for (i = 0; i < 3; i++) {
+                               strlcpy(card->s0num[i], sdef.num[i],
+                                       sizeof(card->s0num[0]));
+                       }
                        break;
                case ISDN_PTYPE_1TR6:
                        if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
@@ -1096,7 +1098,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
                                spin_unlock_irqrestore(&card->isdnloop_lock, flags);
                                return -ENOMEM;
                        }
-                       strcpy(card->s0num[0], sdef.num[0]);
+                       strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
                        card->s0num[1][0] = '\0';
                        card->s0num[2][0] = '\0';
                        break;