• Dan Carpenter's avatar
    isdnloop: several buffer overflows · ef533ea1
    Dan Carpenter authored
    [ Upstream commit 7563487cbf865284dcd35e9ef5a95380da046737 ]
    
    There are three buffer overflows addressed in this patch.
    
    1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
    then copy it into a 60 character buffer.  I have made the destination
    buffer 64 characters and I'm changed the sprintf() to a snprintf().
    
    2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
    character buffer so we have 54 characters.  The ->eazlist[] is 11
    characters long.  I have modified the code to return if the source
    buffer is too long.
    
    3) In isdnloop_command() the cbuf[] array was 60 characters long but the
    max length of the string then can be up to 79 characters.  I made the
    cbuf array 80 characters long and changed the sprintf() to snprintf().
    I also removed the temporary "dial" buffer and changed it to use "p"
    directly.
    
    Unfortunately, we pass the "cbuf" string from isdnloop_command() to
    isdnloop_writecmd() which truncates anything over 60 characters to make
    it fit in card->omsg[].  (It can accept values up to 255 characters so
    long as there is a '\n' character every 60 characters).  For now I have
    just fixed the memory corruption bug and left the other problems in this
    driver alone.
    Signed-off-by: 's avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: 's avatarDavid S. Miller <davem@davemloft.net>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    ef533ea1
Name
Last commit
Last update
..
act2000 Loading commit data...
capi Loading commit data...
divert Loading commit data...
gigaset Loading commit data...
hardware Loading commit data...
hisax Loading commit data...
hysdn Loading commit data...
i4l Loading commit data...
icn Loading commit data...
isdnloop Loading commit data...
mISDN Loading commit data...
pcbit Loading commit data...
sc Loading commit data...
Kconfig Loading commit data...
Makefile Loading commit data...