• Dan Carpenter's avatar
    isdnloop: several buffer overflows · 7563487c
    Dan Carpenter authored
    There are three buffer overflows addressed in this patch.
    
    1) In isdnloop_fake_err() we add an 'E' to a 60 character string and
    then copy it into a 60 character buffer.  I have made the destination
    buffer 64 characters and I'm changed the sprintf() to a snprintf().
    
    2) In isdnloop_parse_cmd(), p points to a 6 characters into a 60
    character buffer so we have 54 characters.  The ->eazlist[] is 11
    characters long.  I have modified the code to return if the source
    buffer is too long.
    
    3) In isdnloop_command() the cbuf[] array was 60 characters long but the
    max length of the string then can be up to 79 characters.  I made the
    cbuf array 80 characters long and changed the sprintf() to snprintf().
    I also removed the temporary "dial" buffer and changed it to use "p"
    directly.
    
    Unfortunately, we pass the "cbuf" string from isdnloop_command() to
    isdnloop_writecmd() which truncates anything over 60 characters to make
    it fit in card->omsg[].  (It can accept values up to 255 characters so
    long as there is a '\n' character every 60 characters).  For now I have
    just fixed the memory corruption bug and left the other problems in this
    driver alone.
    Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    7563487c
isdnloop.c 38 KB