Kernel Buffer Overflow in the ISDN subsystem

Date: 16 Nov 1997 13:55:21 +0100
From: Andi Kleen <ak@muc.de>
To: Marc Lehmann <pcg@goof.com>
Cc: linux-kernel@vger.rutgers.edu, fritz@wuemaus.franken.de,
    isdn4linux@hub-wue.franken.de
Subject: Re: buffer-overflow in isdn

Marc Lehmann <pcg@goof.com> writes:

> in the isdn driver, the routine isdn_tty.c:isdn_tty_parse_at
> copies the string after "ATD" into a 40 byte buffer on the stack,
> without checking for overflows.


Here is a fix for it. It fixes another potential buffer overflow too.
This patch should be integrated in 2.0.32.


-Andi

===================================================================
RCS file: /vger/u4/cvs/linux/drivers/isdn/isdn_tty.c,v
retrieving revision 1.17
diff -u -u -r1.17 isdn_tty.c
--- drivers/net/isdn/isdn_tty.c	1997/09/20 22:58:58	1.17
+++ drivers/net/isdn/isdn_tty.c	1997/11/16 12:46:35
@@ -2445,11 +2445,11 @@
  * Get phone-number from modem-commandbuffer
  */
 static void
-isdn_tty_getdial(char *p, char *q)
+isdn_tty_getdial(char *p, char *q,int cnt)
 {
 	int first = 1;
 
-	while (strchr("0123456789,#.*WPTS-", *p) && *p) {
+	while (strchr("0123456789,#.*WPTS-", *p) && *p && --cnt>0) {
 		if ((*p >= '0' && *p <= '9') || ((*p == 'S') && first))
 			*q++ = *p;
 		p++;
@@ -2589,7 +2589,7 @@
 					m->mdmreg[i], ((i + 1) % 10) ? " " : "\r\n");
 				isdn_tty_at_cout(rb, info);
 			}
-			sprintf(rb, "\r\nEAZ/MSN: %s\r\n",
+			sprintf(rb, "\r\nEAZ/MSN: %.50s\r\n",
 				strlen(m->msn) ? m->msn : "None");
 			isdn_tty_at_cout(rb, info);
 			break;
@@ -3092,7 +3092,7 @@
 				break;
 			case 'D':
 				/* D - Dial */
-				isdn_tty_getdial(++p, ds);
+				isdn_tty_getdial(++p, ds, sizeof ds);
 				p += strlen(p);
 				if (!strlen(m->msn))
 					isdn_tty_modem_result(10, info);