See http://bugs.debian.org/408530 for an example of Asterisk crashing when calling these debugging extensions to CAPI. The same functions and implementations are present in the kernel and are used in several logging calls. I don't see any sign of locking or other measures that would make this thread-safe. The Debian bug report suggests that some messages can overflow the 8 KB buffer. I don't know enough about the protocol to tell whether this is a result of two threads trying to convert a message at the same time or whether it can result from a single long message.
The Debian bug report for the kernel is now http://bugs.debian.org/411294
Note: this code was never for production use, it only was some helper to debug CAPI applications, but you are correct this should be fixed. It can be overflowed by a single evil message from a local source, but not via the ISDN network.Here is a patch (2.6.20 based) to solve this.
Created attachment 10526 [details] patch proposal The patch fix two issues: - fix possible string overflows (grows buffer or return error) - allows concurrent access to these functions It also allows to disable the CAPI trace feature completely (e.g. for low memory embedded systems).
Patch is in 2.6.21-rc2-git2 now.