From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Dan Carpenter <dan.carpenter@oracle.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.10 33/41] isdnloop: several buffer overflows
Date: Fri, 11 Apr 2014 09:10:04 -0700 [thread overview]
Message-ID: <20140411160935.233449771@linuxfoundation.org> (raw)
In-Reply-To: <20140411160932.865173041@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ]
There are three buffer overflows addressed in this patch.
1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
then copy it into a 60 character buffer. I have made the destination
buffer 64 characters and I'm changed the sprintf() to a snprintf().
2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
character buffer so we have 54 characters. The ->eazlist[] is 11
characters long. I have modified the code to return if the source
buffer is too long.
3) In isdnloop_command() the cbuf[] array was 60 characters long but the
max length of the string then can be up to 79 characters. I made the
cbuf array 80 characters long and changed the sprintf() to snprintf().
I also removed the temporary "dial" buffer and changed it to use "p"
directly.
Unfortunately, we pass the "cbuf" string from isdnloop_command() to
isdnloop_writecmd() which truncates anything over 60 characters to make
it fit in card->omsg[]. (It can accept values up to 255 characters so
long as there is a '\n' character every 60 characters). For now I have
just fixed the memory corruption bug and left the other problems in this
driver alone.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/isdn/isdnloop/isdnloop.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- a/drivers/isdn/isdnloop/isdnloop.c
+++ b/drivers/isdn/isdnloop/isdnloop.c
@@ -518,9 +518,9 @@ static isdnloop_stat isdnloop_cmd_table[
static void
isdnloop_fake_err(isdnloop_card *card)
{
- char buf[60];
+ char buf[64];
- sprintf(buf, "E%s", card->omsg);
+ snprintf(buf, sizeof(buf), "E%s", card->omsg);
isdnloop_fake(card, buf, -1);
isdnloop_fake(card, "NAK", -1);
}
@@ -903,6 +903,8 @@ isdnloop_parse_cmd(isdnloop_card *card)
case 7:
/* 0x;EAZ */
p += 3;
+ if (strlen(p) >= sizeof(card->eazlist[0]))
+ break;
strcpy(card->eazlist[ch - 1], p);
break;
case 8:
@@ -1133,7 +1135,7 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
{
ulong a;
int i;
- char cbuf[60];
+ char cbuf[80];
isdn_ctrl cmd;
isdnloop_cdef cdef;
@@ -1198,7 +1200,6 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
break;
if ((c->arg & 255) < ISDNLOOP_BCH) {
char *p;
- char dial[50];
char dcode[4];
a = c->arg;
@@ -1210,10 +1211,10 @@ isdnloop_command(isdn_ctrl *c, isdnloop_
} else
/* Normal Dial */
strcpy(dcode, "CAL");
- strcpy(dial, p);
- sprintf(cbuf, "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
- dcode, dial, c->parm.setup.si1,
- c->parm.setup.si2, c->parm.setup.eazmsn);
+ snprintf(cbuf, sizeof(cbuf),
+ "%02d;D%s_R%s,%02d,%02d,%s\n", (int) (a + 1),
+ dcode, p, c->parm.setup.si1,
+ c->parm.setup.si2, c->parm.setup.eazmsn);
i = isdnloop_writecmd(cbuf, strlen(cbuf), 0, card);
}
break;
next prev parent reply other threads:[~2014-04-11 16:10 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-11 16:09 [PATCH 3.10 00/41] 3.10.37-stable review Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 01/41] selinux: correctly label /proc inodes in use before the policy is loaded Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 02/41] powernow-k6: disable cache when changing frequency Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 03/41] powernow-k6: correctly initialize default parameters Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 04/41] powernow-k6: reorder frequencies Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 05/41] kbuild: fix make headers_install when path is too long Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 06/41] cpuidle: Check the result of cpuidle_get_driver() against NULL Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 07/41] net: fix for a race condition in the inet frag code Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 08/41] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 09/41] bridge: multicast: add sanity check for query source addresses Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 10/41] inet: frag: make sure forced eviction removes all frags Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 11/41] net: unix: non blocking recvmsg() should not return -EINTR Greg Kroah-Hartman
2014-04-11 16:21 ` Rainer Weikusat
2014-04-11 16:09 ` [PATCH 3.10 12/41] ipv6: Fix exthdrs offload registration Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 13/41] ipv6: dont set DST_NOCOUNT for remotely added routes Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 14/41] vlan: Set correct source MAC address with TX VLAN offload enabled Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 15/41] tcp: tcp_release_cb() should release socket ownership Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 16/41] net: socket: error on a negative msg_namelen Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 17/41] ipv6: Avoid unnecessary temporary addresses being generated Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 18/41] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 19/41] vxlan: fix potential NULL dereference in arp_reduce() Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 20/41] rtnetlink: fix fdb notification flags Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 21/41] ipmr: fix mfc " Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 22/41] ip6mr: " Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 23/41] netpoll: fix the skb check in pkt_is_ns Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 24/41] tg3: Do not include vlan acceleration features in vlan_features Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 25/41] usbnet: include wait queue head in device structure Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 26/41] vlan: Set hard_header_len according to available acceleration Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 27/41] vhost: fix total length when packets are too short Greg Kroah-Hartman
2014-04-11 16:09 ` [PATCH 3.10 28/41] vhost: validate vhost_get_vq_desc return value Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 29/41] xen-netback: remove pointless clause from if statement Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 30/41] ipv6: some ipv6 statistic counters failed to disable bh Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 31/41] netlink: dont compare the nul-termination in nla_strcmp Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 32/41] isdnloop: Validate NUL-terminated strings from user Greg Kroah-Hartman
2014-04-11 16:10 ` Greg Kroah-Hartman [this message]
2014-04-11 16:10 ` [PATCH 3.10 34/41] rds: prevent dereference of a NULL device in rds_iw_laddr_check Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 35/41] ARC: [nsimosci] Change .dts to use generic 8250 UART Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 36/41] ARC: [nsimosci] Unbork console Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 37/41] futex: Allow architectures to skip futex_atomic_cmpxchg_inatomic() test Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 38/41] m68k: Skip " Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 39/41] crypto: ghash-clmulni-intel - use C implementation for setkey() Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 40/41] cpufreq: Fix governor start/stop race condition Greg Kroah-Hartman
2014-04-11 16:10 ` [PATCH 3.10 41/41] cpufreq: Fix timer/workqueue corruption due to double queueing Greg Kroah-Hartman
2014-04-11 21:44 ` [PATCH 3.10 00/41] 3.10.37-stable review Guenter Roeck
2014-04-11 23:45 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140411160935.233449771@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dan.carpenter@oracle.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).