See http://bugs.debian.org/408530 for an example of Asterisk crashing when
calling these debugging extensions to CAPI.
The same functions and implementations are present in the kernel and are used in
several logging calls. I don't see any sign of locking or other measures that
would make this thread-safe. The Debian bug report suggests that some messages
can overflow the 8 KB buffer. I don't know enough about the protocol to tell
whether this is a result of two threads trying to convert a message at the same
time or whether it can result from a single long message.
The Debian bug report for the kernel is now http://bugs.debian.org/411294
Note: this code was never for production use, it only was some helper to debug
CAPI applications, but you are correct this should be fixed.
It can be overflowed by a single evil message from a local source, but not via
the ISDN network.Here is a patch (2.6.20 based) to solve this.
Created attachment 10526 [details]
The patch fix two issues:
- fix possible string overflows (grows buffer or return error)
- allows concurrent access to these functions
It also allows to disable the CAPI trace feature completely (e.g. for low
memory embedded systems).
Patch is in 2.6.21-rc2-git2 now.