lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140401154830.GA16759@mwanda>
Date:	Tue, 1 Apr 2014 18:48:30 +0300
From:	Dan Carpenter <dan.carpenter@...cle.com>
To:	Karsten Keil <isdn@...ux-pingi.de>
Cc:	netdev@...r.kernel.org
Subject: [bug report] buffer overflow in isdn capi

The command_2_index() function is buggy and leads to a buffer overflow.
Does anyone know how to fix this?

drivers/isdn/capi/capiutil.c
   403  static unsigned command_2_index(unsigned c, unsigned sc)
   404  {
   405          if (c & 0x80)
   406                  c = 0x9 + (c & 0x0f);
   407          else if (c <= 0x0f);
   408          else if (c == 0x41)
   409                  c = 0x9 + 0x1;
   410          else if (c == 0xff)
   411                  c = 0x00;
   412          return (sc & 3) * (0x9 + 0x9) + c;
   413  }

Imagine that we input c = 0x7f and sc = 0x3.  Then 3 * 18 + 127 = 181
and we return 181.

The other thing that stands out to me is that the last condition
"(c == 0xff)" is never true because then the first condition
"(c & 0x80)" would have been true already.

Here is how the function is used:

drivers/isdn/capi/capiutil.c
   564  /**
   565   * capi_message2cmsg() - disassemble CAPI 2.0 message into _cmsg structure
   566   * @cmsg:       _cmsg structure
   567   * @msg:        buffer for assembled message
   568   *
   569   * Return value: 0 for success
   570   */
   571  
   572  unsigned capi_message2cmsg(_cmsg *cmsg, u8 *msg)
   573  {
   574          memset(cmsg, 0, sizeof(_cmsg));
   575          cmsg->m = msg;
   576          cmsg->l = 8;
   577          cmsg->p = 0;
   578          byteTRcpy(cmsg->m + 4, &cmsg->Command);
   579          byteTRcpy(cmsg->m + 5, &cmsg->Subcommand);
   580          cmsg->par = cpars[command_2_index(cmsg->Command, cmsg->Subcommand)];
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
cpars = is a 79 element array.
cmsg->Command and cmsg->Subcommand come from skb->data so we can't trust
them.
181 is past the end of the 79 element array.

   581  
   582          message_2_pars(cmsg);
   583  
   584          wordTRcpy(msg + 0, &cmsg->l);
   585          wordTRcpy(cmsg->m + 2, &cmsg->ApplId);
   586          wordTRcpy(cmsg->m + 6, &cmsg->Messagenumber);
   587  
   588          return 0;
   589  }

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ