Bug 8028 - capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
Summary: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow
Alias: None
Product: Drivers
Classification: Unclassified
Component: ISDN (show other bugs)
Hardware: i386 Linux
: P2 high
Assignee: Karsten Keil
Depends on:
Reported: 2007-02-17 13:02 UTC by Ben Hutchings
Modified: 2007-03-02 03:27 UTC (History)
0 users

See Also:
Kernel Version: 2.6.20
Regression: ---
Bisected commit-id:

patch proposal (18.05 KB, patch)
2007-02-25 06:02 UTC, Karsten Keil
Details | Diff

Description Ben Hutchings 2007-02-17 13:02:58 UTC
See http://bugs.debian.org/408530 for an example of Asterisk crashing when
calling these debugging extensions to CAPI.

The same functions and implementations are present in the kernel and are used in
several logging calls. I don't see any sign of locking or other measures that
would make this thread-safe. The Debian bug report suggests that some messages
can overflow the 8 KB buffer. I don't know enough about the protocol to tell
whether this is a result of two threads trying to convert a message at the same
time or whether it can result from a single long message.
Comment 1 Ben Hutchings 2007-02-18 07:01:42 UTC
The Debian bug report for the kernel is now http://bugs.debian.org/411294
Comment 2 Karsten Keil 2007-02-25 05:55:27 UTC
Note: this code was never for production use, it only was some helper to debug 
CAPI applications, but you are correct this should be fixed.
It can be overflowed by a single evil message from a local source, but not via 
the ISDN network.Here is a patch (2.6.20 based) to solve this.
Comment 3 Karsten Keil 2007-02-25 06:02:30 UTC
Created attachment 10526 [details]
patch proposal

The patch fix two issues:
- fix possible string overflows (grows buffer or return error)
- allows concurrent access to these functions
It also allows	to disable the CAPI trace feature completely (e.g. for low
memory embedded systems).
Comment 4 Karsten Keil 2007-03-02 03:27:12 UTC
Patch is in 2.6.21-rc2-git2 now.

Note You need to log in before you can comment on or make changes to this bug.