ISDN4Linux Bug in isdnhdlc.c

From: Karsten Keil
Date: Thu Feb 03 2005 - 11:04:41 EST

Next message: Alan Stern: "Re: your mail"
Previous message: linux-os: "Re: Query - Regarding strange behaviour."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Oskar found a critical bug in isdnhdlc.c, please
apply this simple fix to next versions.

From: Oskar Senft <oskar.senft@xxxxxx>

isdnhdlc_decode is called multiple times for bigger frames, so
decrementing dsize is a bad idea and can cause a overflow of
the dst buffer.

Signed-off-by: Karsten Keil <kkeil@xxxxxxx>

diff -ur linux-2.6.11-rc2.org/drivers/isdn/hisax/isdnhdlc.c linux-2.6.11-rc2/drivers/isdn/hisax/isdnhdlc.c
--- linux-2.6.11-rc2.org/drivers/isdn/hisax/isdnhdlc.c 2004-11-23 15:53:25.000000000 +0100
+++ linux-2.6.11-rc2/drivers/isdn/hisax/isdnhdlc.c 2005-02-03 15:50:06.352137856 +0100
@@ -308,7 +308,7 @@
hdlc->crc = crc_ccitt_byte(hdlc->crc, hdlc->shift_reg);

// good byte received
- if (dsize--) {
+ if (hdlc->dstpos < dsize) {
dst[hdlc->dstpos++] = hdlc->shift_reg;
} else {
// frame too long

--
Karsten Keil
SuSE Labs
ISDN development
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Stern: "Re: your mail"
Previous message: linux-os: "Re: Query - Regarding strange behaviour."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]