TUCoPS :: Linux :: General :: lnxisdno.txt

Linux ISDN overflow & fix


Date: 16 Nov 1997 13:55:21 +0100
From: Andi Kleen <ak@muc.de>
To: Marc Lehmann <pcg@goof.com>
Cc: linux-kernel@vger.rutgers.edu, fritz@wuemaus.franken.de,
    isdn4linux@hub-wue.franken.de
Subject: Re: buffer-overflow in isdn

Marc Lehmann <pcg@goof.com> writes:

> in the isdn driver, the routine isdn_tty.c:isdn_tty_parse_at
> copies the string after "ATD" into a 40 byte buffer on the stack,
> without checking for overflows.

Here is a fix for it. It fixes another potential buffer overflow too.
This patch should be integrated in 2.0.32.

-Andi

===================================================================
RCS file: /vger/u4/cvs/linux/drivers/isdn/isdn_tty.c,v
retrieving revision 1.17
diff -u -u -r1.17 isdn_tty.c
--- drivers/net/isdn/isdn_tty.c 1997/09/20 22:58:58     1.17
+++ drivers/net/isdn/isdn_tty.c 1997/11/16 12:46:35
@@ -2445,11 +2445,11 @@
  * Get phone-number from modem-commandbuffer
  */
 static void
-isdn_tty_getdial(char *p, char *q)
+isdn_tty_getdial(char *p, char *q,int cnt)
 {
        int first = 1;

-       while (strchr("0123456789,#.*WPTS-", *p) && *p) {
+       while (strchr("0123456789,#.*WPTS-", *p) && *p && --cnt>0) {
                if ((*p >= '0' && *p <= '9') || ((*p == 'S') && first))
                        *q++ = *p;
                p++;
@@ -2589,7 +2589,7 @@
                                        m->mdmreg[i], ((i + 1) % 10) ? " " : "\r\n");
                                isdn_tty_at_cout(rb, info);
                        }
-                       sprintf(rb, "\r\nEAZ/MSN: %s\r\n",
+                       sprintf(rb, "\r\nEAZ/MSN: %.50s\r\n",
                                strlen(m->msn) ? m->msn : "None");
                        isdn_tty_at_cout(rb, info);
                        break;
@@ -3092,7 +3092,7 @@
                                break;
                        case 'D':
                                /* D - Dial */
-                               isdn_tty_getdial(++p, ds);
+                               isdn_tty_getdial(++p, ds, sizeof ds);
                                p += strlen(p);
                                if (!strlen(m->msn))
                                        isdn_tty_modem_result(10, info);


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH