Date: 16 Nov 1997 13:55:21 +0100
From: Andi Kleen <ak@muc.de>
To: Marc Lehmann <pcg@goof.com>
Cc: linux-kernel@vger.rutgers.edu, fritz@wuemaus.franken.de,
isdn4linux@hub-wue.franken.de
Subject: Re: buffer-overflow in isdn
Marc Lehmann <pcg@goof.com> writes:
> in the isdn driver, the routine isdn_tty.c:isdn_tty_parse_at
> copies the string after "ATD" into a 40 byte buffer on the stack,
> without checking for overflows.
Here is a fix for it. It fixes another potential buffer overflow too.
This patch should be integrated in 2.0.32.
-Andi
===================================================================
RCS file: /vger/u4/cvs/linux/drivers/isdn/isdn_tty.c,v
retrieving revision 1.17
diff -u -u -r1.17 isdn_tty.c
--- drivers/net/isdn/isdn_tty.c 1997/09/20 22:58:58 1.17
+++ drivers/net/isdn/isdn_tty.c 1997/11/16 12:46:35
@@ -2445,11 +2445,11 @@
* Get phone-number from modem-commandbuffer
*/
static void
-isdn_tty_getdial(char *p, char *q)
+isdn_tty_getdial(char *p, char *q,int cnt)
{
int first = 1;
- while (strchr("0123456789,#.*WPTS-", *p) && *p) {
+ while (strchr("0123456789,#.*WPTS-", *p) && *p && --cnt>0) {
if ((*p >= '0' && *p <= '9') || ((*p == 'S') && first))
*q++ = *p;
p++;
@@ -2589,7 +2589,7 @@
m->mdmreg[i], ((i + 1) % 10) ? " " : "\r\n");
isdn_tty_at_cout(rb, info);
}
- sprintf(rb, "\r\nEAZ/MSN: %s\r\n",
+ sprintf(rb, "\r\nEAZ/MSN: %.50s\r\n",
strlen(m->msn) ? m->msn : "None");
isdn_tty_at_cout(rb, info);
break;
@@ -3092,7 +3092,7 @@
break;
case 'D':
/* D - Dial */
- isdn_tty_getdial(++p, ds);
+ isdn_tty_getdial(++p, ds, sizeof ds);
p += strlen(p);
if (!strlen(m->msn))
isdn_tty_modem_result(10, info);
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
