Bug 8028

Summary: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
Product: Drivers Reporter: Ben Hutchings (ben-public-nospam)
Component: ISDNAssignee: Karsten Keil (kernel)
Severity: high    
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.20 Subsystem:
Regression: --- Bisected commit-id:
Attachments: patch proposal

Description Ben Hutchings 2007-02-17 13:02:58 UTC
See http://bugs.debian.org/408530 for an example of Asterisk crashing when
calling these debugging extensions to CAPI.

The same functions and implementations are present in the kernel and are used in
several logging calls. I don't see any sign of locking or other measures that
would make this thread-safe. The Debian bug report suggests that some messages
can overflow the 8 KB buffer. I don't know enough about the protocol to tell
whether this is a result of two threads trying to convert a message at the same
time or whether it can result from a single long message.
Comment 1 Ben Hutchings 2007-02-18 07:01:42 UTC
The Debian bug report for the kernel is now http://bugs.debian.org/411294
Comment 2 Karsten Keil 2007-02-25 05:55:27 UTC
Note: this code was never for production use, it only was some helper to debug 
CAPI applications, but you are correct this should be fixed.
It can be overflowed by a single evil message from a local source, but not via 
the ISDN network.Here is a patch (2.6.20 based) to solve this.
Comment 3 Karsten Keil 2007-02-25 06:02:30 UTC
Created attachment 10526 [details]
patch proposal

The patch fix two issues:
- fix possible string overflows (grows buffer or return error)
- allows concurrent access to these functions
It also allows	to disable the CAPI trace feature completely (e.g. for low
memory embedded systems).
Comment 4 Karsten Keil 2007-03-02 03:27:12 UTC
Patch is in 2.6.21-rc2-git2 now.