Re: buffer-overflow in isdn

Andi Kleen (ak@muc.de)
16 Nov 1997 13:55:21 +0100


Marc Lehmann <pcg@goof.com> writes:

> in the isdn driver, the routine isdn_tty.c:isdn_tty_parse_at
> copies the string after "ATD" into a 40 byte buffer on the stack,
> without checking for overflows.

Here is a fix for it. It fixes another potential buffer overflow too.
This patch should be integrated in 2.0.32.

-Andi

===================================================================
RCS file: /vger/u4/cvs/linux/drivers/isdn/isdn_tty.c,v
retrieving revision 1.17
diff -u -u -r1.17 isdn_tty.c
--- drivers/net/isdn/isdn_tty.c 1997/09/20 22:58:58 1.17
+++ drivers/net/isdn/isdn_tty.c 1997/11/16 12:46:35
@@ -2445,11 +2445,11 @@
* Get phone-number from modem-commandbuffer
*/
static void
-isdn_tty_getdial(char *p, char *q)
+isdn_tty_getdial(char *p, char *q,int cnt)
{
int first = 1;

- while (strchr("0123456789,#.*WPTS-", *p) && *p) {
+ while (strchr("0123456789,#.*WPTS-", *p) && *p && --cnt>0) {
if ((*p >= '0' && *p <= '9') || ((*p == 'S') && first))
*q++ = *p;
p++;
@@ -2589,7 +2589,7 @@
m->mdmreg[i], ((i + 1) % 10) ? " " : "\r\n");
isdn_tty_at_cout(rb, info);
}
- sprintf(rb, "\r\nEAZ/MSN: %s\r\n",
+ sprintf(rb, "\r\nEAZ/MSN: %.50s\r\n",
strlen(m->msn) ? m->msn : "None");
isdn_tty_at_cout(rb, info);
break;
@@ -3092,7 +3092,7 @@
break;
case 'D':
/* D - Dial */
- isdn_tty_getdial(++p, ds);
+ isdn_tty_getdial(++p, ds, sizeof ds);
p += strlen(p);
if (!strlen(m->msn))
isdn_tty_modem_result(10, info);