From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.4 15/27] isdnloop: several buffer overflows
Date: Thu, 24 Apr 2014 14:55:49 -0700 [thread overview]
Message-ID: <20140424215552.417961567@linuxfoundation.org> (raw)
In-Reply-To: <20140424215551.942390050@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ]
There are three buffer overflows addressed in this patch.
1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
then copy it into a 60 character buffer. I have made the destination
buffer 64 characters and I'm changed the sprintf() to a snprintf().
2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
character buffer so we have 54 characters. The ->eazlist[] is 11
characters long. I have modified the code to return if the source
buffer is too long.
3) In isdnloop_command() the cbuf[] array was 60 characters long but the
max length of the string then can be up to 79 characters. I made the
cbuf array 80 characters long and changed the sprintf() to snprintf().
I also removed the temporary "dial" buffer and changed it to use "p"
directly.
Unfortunately, we pass the "cbuf" string from isdnloop_command() to
isdnloop_writecmd() which truncates anything over 60 characters to make
it fit in card->omsg[]. (It can accept values up to 255 characters so
long as there is a '\n' character every 60 characters). For now I have
just fixed the memory corruption bug and left the other problems in this
driver alone.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[
static void
isdnloop_fake_err(isdnloop_card *card)
{
- char buf[60];
+ char buf[64];
- sprintf(buf, "E%s", card->omsg);
+ snprintf(buf, sizeof(buf), "E%s", card->omsg);
isdnloop_fake(card, buf, -1);
isdnloop_fake(card, "NAK", -1);
}
@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card)
case 7:
/* 0x;EAZ */
p += 3;
+ if (strlen(p) >= sizeof(card->eazlist[0]))
+ break;
strcpy(card->eazlist[ch - 1], p);
break;
case 8:
@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
{
ulong a;
int i;
- char cbuf[60];
+ char cbuf[80];
isdn_ctrl cmd;
isdnloop_cdef cdef;
@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
break;
if ((c->arg & 255) < ISDNLOOP_BCH) {
char *p;
- char dial[50];
char dcode[4];
a = c->arg;
@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
} else
/* Normal Dial */
strcpy(dcode, "CAL");
- strcpy(dial, p);
- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
- dcode, dial, c->parm.setup.si1,
- c->parm.setup.si2, c->parm.setup.eazmsn);
+ snprintf(cbuf, sizeof(cbuf),
+ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
+ dcode, p, c->parm.setup.si1,
+ c->parm.setup.si2, c->parm.setup.eazmsn);
i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card);
}
break;
next prev parent reply other threads:[~2014-04-24 21:57 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-24 21:55 [PATCH 3.4 00/27] 3.4.88-stable review Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 01/27] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 03/27] net: unix: non blocking recvmsg() should not return -EINTR Greg Kroah-Hartman
2014-04-24 22:01 ` Rainer Weikusat
2014-04-24 22:19 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 04/27] ipv6: dont set DST_NOCOUNT for remotely added routes Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 06/27] net: socket: error on a negative msg_namelen Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 07/27] ipv6: Avoid unnecessary temporary addresses being generated Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 08/27] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 09/27] vhost: fix total length when packets are too short Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 10/27] vhost: validate vhost_get_vq_desc return value Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 11/27] xen-netback: remove pointless clause from if statement Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 12/27] ipv6: some ipv6 statistic counters failed to disable bh Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 13/27] netlink: dont compare the nul-termination in nla_strcmp Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 14/27] isdnloop: Validate NUL-terminated strings from user Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman [this message]
2014-04-24 21:55 ` [PATCH 3.4 16/27] rds: prevent dereference of a NULL device in rds_iw_laddr_check Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 17/27] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 18/27] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 19/27] sparc32: fix build failure for arch_jump_label_transform Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 20/27] sparc64: dont treat 64-bit syscall return codes as 32-bit Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 21/27] Char: ipmi_bt_sm, fix infinite loop Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 22/27] Bluetooth: Fix removing Long Term Key Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 23/27] jffs2: Fix segmentation fault found in stress test Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 24/27] jffs2: Fix crash due to truncation of csize Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 25/27] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 26/27] jffs2: remove from wait queue after schedule() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 27/27] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Greg Kroah-Hartman
2014-04-25 0:12 ` [PATCH 3.4 00/27] 3.4.88-stable review Guenter Roeck
2014-04-25 17:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140424215552.417961567@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox