isdnloop: use strlcpy() instead of strcpy()

[ Upstream commit f9a23c84486ed350cce7bb1b2828abd1f6658796 ]

These strings come from a copy_from_user() and there is no way to be
sure they are NUL terminated.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/drivers/isdn/isdnloop/isdnloop.c b/drivers/isdn/isdnloop/isdnloop.c
index 509135f225db32db902912ba31876d9c7e0fdf72..4df80fb7a31461a4cd4576e21c0c59c506d508d8 100644 (file)
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -1083,8 +1083,10 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
                                spin_unlock_irqrestore(&card->isdnloop_lock, flags);
                                return -ENOMEM;
                        }
-                       for (i = 0; i < 3; i++)
-                               strcpy(card->s0num[i], sdef.num[i]);
+                       for (i = 0; i < 3; i++) {
+                               strlcpy(card->s0num[i], sdef.num[i],
+                                       sizeof(card->s0num[0]));
+                       }
                        break;
                case ISDN_PTYPE_1TR6:
                        if (isdnloop_fake(card, "DRV1.04TC-1TR6-CAPI-CNS-BASIS-29.11.95",
@@ -1097,7 +1099,7 @@ isdnloop_start(isdnloop_card * card, isdnloop_sdef * sdefp)
                                spin_unlock_irqrestore(&card->isdnloop_lock, flags);
                                return -ENOMEM;
                        }
-                       strcpy(card->s0num[0], sdef.num[0]);
+                       strlcpy(card->s0num[0], sdef.num[0], sizeof(card->s0num[0]));
                        card->s0num[1][0] = '\0';
                        card->s0num[2][0] = '\0';
                        break;