Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
The same patch is applicable to sarge with trivial adjustment. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports. signature.asc Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
clone 408530 -1 -2 reassign -1 asterisk-chan-capi retitle -1 asterisk-chan-capi: Need a mutex for calls to capi_{cmsg,message}2str reassign -2 linux-2.6 retitle -2 linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow block -1 with 408530 tags -2 upstream forwarded -2 http://bugzilla.kernel.org/show_bug.cgi?id=8028 thanks This function and capi_message2str are not thread-safe either; nor can they be made so without the use of TSS for their buffers. chan_capi will need to use a mutex to prevent collision between concurrent uses of these functions. I don't know what can be done in the kernel. The buffer overflow could conceivably be due to two concurrent calls to these functions rather than a single message. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
tags 408530 patch thanks Patch for isdnutils: diff -u isdnutils-3.9.20060704/debian/rules isdnutils-3.9.20060704/debian/rules --- isdnutils-3.9.20060704/debian/rules +++ isdnutils-3.9.20060704/debian/rules @@ -388,6 +388,7 @@ ppp-2.4.4b1 \ vbox-little-endian \ toplevel-make \ + capi20-msg2str-safety \ ifeq ($(distribution),Ubuntu) debian_patches += no-imake only in patch2: unchanged: --- isdnutils-3.9.20060704.orig/debian/patches/capi20-msg2str-safety.dpatch +++ isdnutils-3.9.20060704/debian/patches/capi20-msg2str-safety.dpatch @@ -0,0 +1,58 @@ +#! /bin/sh -e + +# DP: Prevent buffer overflow in capi20_{cmsg,message}2str. +# DP: Add warning that they are not thread-safe. + +dir= +if [ $# -eq 3 -a $2 = '-d' ]; then +pdir=-d $3 +dir=$3/ +elif [ $# -ne 1 ]; then +echo 2 usage: `basename $0`: -patch|-unpatch [-d srcdir] +exit 1 +fi +case $1 in +-patch) +patch $pdir -f --no-backup-if-mismatch -p0 $0 +;; +-unpatch) +patch $pdir -f --no-backup-if-mismatch -R -p0 $0 +;; +*) + echo 2 usage: `basename $0`: -patch|-unpatch [-d srcdir] +exit 1 +esac +exit 0 + +--- capi20/capiutils.h~2005-03-08 07:26:47.0 + capi20/capiutils.h 2007-02-17 20:22:48.0 + +@@ -308,6 +308,10 @@ + #define capi20_cmd2strcapi_cmd2str + char *capi_cmd2str(_cbyte cmd, _cbyte subcmd); + ++/* ++ * WARNING: The following two functions use a single static buffer and ++ * are not thread-safe. ++ */ + #define capi20_cmsg2str capi_cmsg2str + char *capi_cmsg2str(_cmsg * cmsg); + +--- capi20/convert.c~ 2005-05-09 09:23:01.0 +0100 capi20/convert.c 2007-02-17 20:34:17.0 + +@@ -894,10 +894,14 @@ + static void bufprint(char *fmt,...) + { + va_list f; ++ size_t space = buf + sizeof(buf) - p, len; + va_start(f, fmt); +- vsprintf(p, fmt, f); ++ len = vsnprintf(p, space, fmt, f); + va_end(f); +- p += strlen(p); ++ if (len space - 1) ++ p += len; ++ else ++ p += space - 1; + } + + static void printstructlen(_cbyte * m, unsigned len) -- END -- I can't test this in place because I don't know how to construct a message that would overflow the buffer. However, the following test program: -- BEGIN -- static char buf[8192]; static char *p = 0; #include stdio.h #include stdarg.h static void bufprint(char *fmt,...) { va_list f; size_t space = buf + sizeof(buf) - p, len; va_start(f, fmt); len = vsnprintf(p, space, fmt, f); va_end(f); if (len space - 1) p += len; else p += space - 1; } int main(void) { int i; p = buf; p[0] = 0; for (i = 0; i != 10; ++i) { bufprint(%4096s, foo); bufprint(%4096s, bar?); } puts(buf); } -- END -- shows that output is truncated after the last character that will fit in the buffer (r in this case) as intended. Ben. -- Ben Hutchings It is easier to change the specification to fit the program than vice versa. signature.asc Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
Hi all, Please notice that the routines in question are also repeated in Linux kernel in drivers/isdn/capi/capiutil.c [1] and in isdn4k-utils in capi20/convert.c [2]. [1] http://chuck.netbsd.sk/source/xref/kernel-2.6.9/linux-2.6.9/drivers/isdn/capi/capiutil.c#838 [2] http://chuck.netbsd.sk/source/xref/isdn4k-utils-CVS-2003-09-23/capi20/convert.c#957 Regards, -- Lubomir Kundrak (Red Hat Security Response Team) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed (with 5 errors): Re: Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
Processing commands for [EMAIL PROTECTED]: tags 408530 +security Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str There were no tags set. Tags added: security severity 408530 grave Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str Severity set to `grave' from `important' On Fri, Jan 26, 2007 at 04:34:32PM +0100, John Hughes wrote: Unknown command or malformed arguments to command. Package: libcapi20-3 Unknown command or malformed arguments to command. Version: 1:3.9.20060704-2.2 Unknown command or malformed arguments to command. Severity: important Unknown command or malformed arguments to command. the bufprint routine used by capi_cmsg2str does an unbounded Unknown command or malformed arguments to command. Too many unknown commands, stopping here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]