Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
The same patch is applicable to sarge with trivial adjustment. Ben. -- Ben Hutchings If God had intended Man to program, we'd have been born with serial I/O ports. signature.asc Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
clone 408530 -1 -2
reassign -1 asterisk-chan-capi
retitle -1 asterisk-chan-capi: Need a mutex for calls to capi_{cmsg,message}2str
reassign -2 linux-2.6
retitle -2 linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to
buffer overflow
block -1 with 408530
tags -2 upstream
forwarded -2 http://bugzilla.kernel.org/show_bug.cgi?id=8028
thanks
This function and capi_message2str are not thread-safe either; nor can
they be made so without the use of TSS for their buffers. chan_capi
will need to use a mutex to prevent collision between concurrent uses of
these functions. I don't know what can be done in the kernel. The
buffer overflow could conceivably be due to two concurrent calls to
these functions rather than a single message.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
signature.asc
Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
tags 408530 patch
thanks
Patch for isdnutils:
diff -u isdnutils-3.9.20060704/debian/rules isdnutils-3.9.20060704/debian/rules
--- isdnutils-3.9.20060704/debian/rules
+++ isdnutils-3.9.20060704/debian/rules
@@ -388,6 +388,7 @@
ppp-2.4.4b1 \
vbox-little-endian \
toplevel-make \
+ capi20-msg2str-safety \
ifeq ($(distribution),Ubuntu)
debian_patches += no-imake
only in patch2:
unchanged:
--- isdnutils-3.9.20060704.orig/debian/patches/capi20-msg2str-safety.dpatch
+++ isdnutils-3.9.20060704/debian/patches/capi20-msg2str-safety.dpatch
@@ -0,0 +1,58 @@
+#! /bin/sh -e
+
+# DP: Prevent buffer overflow in capi20_{cmsg,message}2str.
+# DP: Add warning that they are not thread-safe.
+
+dir=
+if [ $# -eq 3 -a $2 = '-d' ]; then
+pdir=-d $3
+dir=$3/
+elif [ $# -ne 1 ]; then
+echo 2 usage: `basename $0`: -patch|-unpatch [-d srcdir]
+exit 1
+fi
+case $1 in
+-patch)
+patch $pdir -f --no-backup-if-mismatch -p0 $0
+;;
+-unpatch)
+patch $pdir -f --no-backup-if-mismatch -R -p0 $0
+;;
+*)
+ echo 2 usage: `basename $0`: -patch|-unpatch [-d srcdir]
+exit 1
+esac
+exit 0
+
+--- capi20/capiutils.h~2005-03-08 07:26:47.0 +
capi20/capiutils.h 2007-02-17 20:22:48.0 +
+@@ -308,6 +308,10 @@
+ #define capi20_cmd2strcapi_cmd2str
+ char *capi_cmd2str(_cbyte cmd, _cbyte subcmd);
+
++/*
++ * WARNING: The following two functions use a single static buffer and
++ * are not thread-safe.
++ */
+ #define capi20_cmsg2str capi_cmsg2str
+ char *capi_cmsg2str(_cmsg * cmsg);
+
+--- capi20/convert.c~ 2005-05-09 09:23:01.0 +0100
capi20/convert.c 2007-02-17 20:34:17.0 +
+@@ -894,10 +894,14 @@
+ static void bufprint(char *fmt,...)
+ {
+ va_list f;
++ size_t space = buf + sizeof(buf) - p, len;
+ va_start(f, fmt);
+- vsprintf(p, fmt, f);
++ len = vsnprintf(p, space, fmt, f);
+ va_end(f);
+- p += strlen(p);
++ if (len space - 1)
++ p += len;
++ else
++ p += space - 1;
+ }
+
+ static void printstructlen(_cbyte * m, unsigned len)
-- END --
I can't test this in place because I don't know how to construct a
message that would overflow the buffer. However, the following test
program:
-- BEGIN --
static char buf[8192];
static char *p = 0;
#include stdio.h
#include stdarg.h
static void bufprint(char *fmt,...)
{
va_list f;
size_t space = buf + sizeof(buf) - p, len;
va_start(f, fmt);
len = vsnprintf(p, space, fmt, f);
va_end(f);
if (len space - 1)
p += len;
else
p += space - 1;
}
int main(void)
{
int i;
p = buf;
p[0] = 0;
for (i = 0; i != 10; ++i)
{
bufprint(%4096s, foo);
bufprint(%4096s, bar?);
}
puts(buf);
}
-- END --
shows that output is truncated after the last character that will fit in
the buffer (r in this case) as intended.
Ben.
--
Ben Hutchings
It is easier to change the specification to fit the program than vice versa.
signature.asc
Description: This is a digitally signed message part
Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
Hi all, Please notice that the routines in question are also repeated in Linux kernel in drivers/isdn/capi/capiutil.c [1] and in isdn4k-utils in capi20/convert.c [2]. [1] http://chuck.netbsd.sk/source/xref/kernel-2.6.9/linux-2.6.9/drivers/isdn/capi/capiutil.c#838 [2] http://chuck.netbsd.sk/source/xref/isdn4k-utils-CVS-2003-09-23/capi20/convert.c#957 Regards, -- Lubomir Kundrak (Red Hat Security Response Team) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Processed (with 5 errors): Re: Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str
Processing commands for [EMAIL PROTECTED]: tags 408530 +security Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str There were no tags set. Tags added: security severity 408530 grave Bug#408530: libcapi20-3: buffer overflow in printbuf called from capi_cmsg2str Severity set to `grave' from `important' On Fri, Jan 26, 2007 at 04:34:32PM +0100, John Hughes wrote: Unknown command or malformed arguments to command. Package: libcapi20-3 Unknown command or malformed arguments to command. Version: 1:3.9.20060704-2.2 Unknown command or malformed arguments to command. Severity: important Unknown command or malformed arguments to command. the bufprint routine used by capi_cmsg2str does an unbounded Unknown command or malformed arguments to command. Too many unknown commands, stopping here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
