From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.4 15/27] isdnloop: several buffer overflows
Date: Thu, 24 Apr 2014 14:55:49 -0700 [thread overview]
Message-ID: <20140424215552.417961567@linuxfoundation.org> (raw)
In-Reply-To: <20140424215551.942390050@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ]
There are three buffer overflows addressed in this patch.
1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
then copy it into a 60 character buffer. I have made the destination
buffer 64 characters and I'm changed the sprintf() to a snprintf().
2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
character buffer so we have 54 characters. The ->eazlist[] is 11
characters long. I have modified the code to return if the source
buffer is too long.
3) In isdnloop_command() the cbuf[] array was 60 characters long but the
max length of the string then can be up to 79 characters. I made the
cbuf array 80 characters long and changed the sprintf() to snprintf().
I also removed the temporary "dial" buffer and changed it to use "p"
directly.
Unfortunately, we pass the "cbuf" string from isdnloop_command() to
isdnloop_writecmd() which truncates anything over 60 characters to make
it fit in card->omsg[]. (It can accept values up to 255 characters so
long as there is a '\n' character every 60 characters). For now I have
just fixed the memory corruption bug and left the other problems in this
driver alone.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[
static void
isdnloop_fake_err(isdnloop_card *card)
{
- char buf[60];
+ char buf[64];
- sprintf(buf, "E%s", card->omsg);
+ snprintf(buf, sizeof(buf), "E%s", card->omsg);
isdnloop_fake(card, buf, -1);
isdnloop_fake(card, "NAK", -1);
}
@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card)
case 7:
/* 0x;EAZ */
p += 3;
+ if (strlen(p) >= sizeof(card->eazlist[0]))
+ break;
strcpy(card->eazlist[ch - 1], p);
break;
case 8:
@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
{
ulong a;
int i;
- char cbuf[60];
+ char cbuf[80];
isdn_ctrl cmd;
isdnloop_cdef cdef;
@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
break;
if ((c->arg & 255) < ISDNLOOP_BCH) {
char *p;
- char dial[50];
char dcode[4];
a = c->arg;
@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
} else
/* Normal Dial */
strcpy(dcode, "CAL");
- strcpy(dial, p);
- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
- dcode, dial, c->parm.setup.si1,
- c->parm.setup.si2, c->parm.setup.eazmsn);
+ snprintf(cbuf, sizeof(cbuf),
+ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
+ dcode, p, c->parm.setup.si1,
+ c->parm.setup.si2, c->parm.setup.eazmsn);
i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card);
}
break;
next prev parent reply other threads:[~2014-04-24 21:57 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-24 21:55 [PATCH 3.4 00/27] 3.4.88-stable review Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 01/27] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 03/27] net: unix: non blocking recvmsg() should not return -EINTR Greg Kroah-Hartman
2014-04-24 22:01 ` Rainer Weikusat
2014-04-24 22:19 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 04/27] ipv6: dont set DST_NOCOUNT for remotely added routes Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 06/27] net: socket: error on a negative msg_namelen Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 07/27] ipv6: Avoid unnecessary temporary addresses being generated Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 08/27] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 09/27] vhost: fix total length when packets are too short Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 10/27] vhost: validate vhost_get_vq_desc return value Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 11/27] xen-netback: remove pointless clause from if statement Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 12/27] ipv6: some ipv6 statistic counters failed to disable bh Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 13/27] netlink: dont compare the nul-termination in nla_strcmp Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 14/27] isdnloop: Validate NUL-terminated strings from user Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman [this message]
2014-04-24 21:55 ` [PATCH 3.4 16/27] rds: prevent dereference of a NULL device in rds_iw_laddr_check Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 17/27] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 18/27] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 19/27] sparc32: fix build failure for arch_jump_label_transform Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 20/27] sparc64: dont treat 64-bit syscall return codes as 32-bit Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 21/27] Char: ipmi_bt_sm, fix infinite loop Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 22/27] Bluetooth: Fix removing Long Term Key Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 23/27] jffs2: Fix segmentation fault found in stress test Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 24/27] jffs2: Fix crash due to truncation of csize Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 25/27] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 26/27] jffs2: remove from wait queue after schedule() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 27/27] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Greg Kroah-Hartman
2014-04-25 0:12 ` [PATCH 3.4 00/27] 3.4.88-stable review Guenter Roeck
2014-04-25 17:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140424215552.417961567@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.