From: Tilman Schmidt <tilman@imap.cc>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Karsten Keil <isdn@linux-pingi.de>,
netdev@vger.kernel.org
Subject: Re: [bug report] buffer overflow in isdn capi
Date: Tue, 03 Jun 2014 00:48:02 +0200 [thread overview]
Message-ID: <538CFF22.5020800@imap.cc> (raw)
In-Reply-To: <20140401154830.GA16759@mwanda>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all,
on 01.04.2014 17:48, Dan Carpenter wrote:
> The command_2_index() function is buggy and leads to a buffer
> overflow. Does anyone know how to fix this?
AFAICS this is still unfixed.
As an easy fix I propose:
- --- a/drivers/isdn/capi/capiutil.c
+++ b/drivers/isdn/capi/capiutil.c
@@ -203,14 +203,7 @@ static unsigned char *cpars[] =
/*-------------------------------------------------------*/
static unsigned command_2_index(unsigned c, unsigned sc)
{
- - if (c & 0x80)
- - c = 0x9 + (c & 0x0f);
- - else if (c <= 0x0f);
- - else if (c == 0x41)
- - c = 0x9 + 0x1;
- - else if (c == 0xff)
- - c = 0x00;
- - return (sc & 3) * (0x9 + 0x9) + c;
+ return (sc & 3) * (0x9 + 0x9) + ((c & 0xf0) ? 0x9 : 0) + (c &
0x0f);
}
/*-------------------------------------------------------*/
This produces identical results to the current function for
all legal values of c (0x00..0x08, 0x41, 0x80..0x88, 0xff)
and guarantees that the result is <= 0x4e for all possible
inputs, whether legal or not. It also makes it clearer what
that function actually does.
Unless somebody points out a serious flaw with this I'll test it
and submit a formal patch.
Karsten's other concern about unhandled NULL pointers in the
mnames[] and cpars[] arrays should be addressed separately IMHO.
Regards,
Tilman
- --
Tilman Schmidt E-Mail: tilman@imap.cc
Bonn, Germany
Diese Nachricht besteht zu 100% aus wiederverwerteten Bits.
Ungeöffnet mindestens haltbar bis: (siehe Rückseite)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlOM/yIACgkQQ3+did9BuFuwMwCfVZq5Lx0P+ddhe/5WlxuO5zzp
VV4AoIn50I1wa4r4DtWfHFErMysgjsxr
=k/+h
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2014-06-02 22:48 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-01 15:48 [bug report] buffer overflow in isdn capi Dan Carpenter
2014-04-01 16:25 ` Joe Perches
2014-04-02 16:46 ` Karsten Keil
2014-06-02 22:48 ` Tilman Schmidt [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=538CFF22.5020800@imap.cc \
--to=tilman@imap.cc \
--cc=dan.carpenter@oracle.com \
--cc=isdn@linux-pingi.de \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).