Bug#411294: marked as done (linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow)

To: Bastian Blank <waldi@debian.org>
Subject: Bug#411294: marked as done (linux-2.6: capi_{cmsg,message}2str not thread-safe; vulnerable to buffer overflow)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 15 Jun 2007 14:30:17 +0000
Message-id: <[🔎] handler.411294.D411294.118191769013936.ackdone@bugs.debian.org>
References: <20070615142808.GB26270@wavehammer.waldi.eu.org> <45BA1F88.1040609@Calva.COM>

Your message dated Fri, 15 Jun 2007 16:28:08 +0200
with message-id <20070615142808.GB26270@wavehammer.waldi.eu.org>
and subject line fixed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libcapi20-3: buffer overflow in "printbuf" called from capi_cmsg2str
From: John Hughes <john@Calva.COM>
Date: Fri, 26 Jan 2007 16:34:32 +0100
Message-id: <45BA1F88.1040609@Calva.COM>

Package: libcapi20-3
Version: 1:3.9.20060704-2.2
Severity: important


the bufprint routine used by capi_cmsg2str does an unbounded vsprintf
into a 8192 byte buffer, perhaps hoping it's big enough.

It isn't.

Looks like someone needs some vsnprintf like training wheels.

(around line 898 in "convert.c")

#4  0xb7c9e811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5  0xb7c9ffb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6  0xb6bbf21c in bufprint (fmt=0xb6bc061f " %02x") at convert.c:910
#7  0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
#8  0xb6bbf34c in protocol_message_2_pars (cmsg=0xb69d4234, level=1) at
convert.c:1003
#9  0xb6bbf722 in capi_cmsg2str (cmsg=0xb69d4234) at convert.c:1045
#10 0xb6be4d16 in capidev_loop (data=0x0) at chan_capi.c:4051
#11 0x080ed2c0 in dummy_start (data=0x81e6ee8) at utils.c:545
#12 0xb7f16240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
#13 0xb7d4132e in clone () from /lib/tls/i686/cmov/libc.so.6

(gdb) frame 7
#7  0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
927                                     bufprint(" %02x", *m);
(gdb) p p - buf
$1 = 8194

(gdb) p *cmsg
$2 = {ApplId = 1, Command = 2 '\002', Subcommand = 130 '\202',
Messagenumber = 5019, adr = {adrController = 257,
    adrPLCI = 257, adrNCCI = 257}, AdditionalInfo = CAPI_COMPOSE,
B1configuration = 0x0, B1protocol = 0,
  B2configuration = 0x0, B2protocol = 0, B3configuration = 0x0,
B3protocol = 0, BC = 0xb6b4eb5e "\003\200\220�",
  BChannelinformation = 0xb6b4eb67 "", BProtocol = CAPI_COMPOSE,
CalledPartyNumber = 0xb6b4eb5a "",
  CalledPartySubaddress = 0xb6b4eb5c "", CallingPartyNumber = 0xb6b4eb5b
"", CallingPartySubaddress = 0xb6b4eb5d "",
  CIPmask = 0, CIPmask2 = 0, CIPValue = 16, Class = 0, ConnectedNumber =
0x0, ConnectedSubaddress = 0x0, Data32 = 0,
  Data64 = 0, DataHandle = 0, DataLength = 0,
FacilityConfirmationParameter = 0x0,
  Facilitydataarray = 0xb6b4eb6a "", FacilityIndicationParameter = 0x0,
FacilityRequestParameter = 0x0,
  FacilityResponseParameters = 0x0, FacilitySelector = 0, Flags = 0,
Function = 0, Globalconfiguration = 0x0,
  HLC = 0xb6b4eb63 "\002\221\201\004", Info = 0, InfoElement = 0x0,
InfoMask = 0, InfoNumber = 0,
  Keypadfacility = 0xb6b4eb68 "", LLC = 0xb6b4eb62 "", ManuData = 0x0,
ManuID = 0, NCPI = 0x0, Reason = 0,
  Reason_B3 = 0, Reject = 0, Useruserdata = 0xb6b4eb69 "",
SendingComplete = 0xb6b4eb6b '�' <repeats 127 times>,
  Data = 0x0, l = 31, p = 14, par = 0xb6bc0bbc
"\003\024\016\020\017\021\v)#\004\f(0\0342\001\001",
  m = 0xb6b4eb4c "\037", buf = '\0' <repeats 179 times>}

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-jh-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libcapi20-3 depends on:
ii  libc6                       2.3.6.ds1-10 GNU C Library: Shared libraries

libcapi20-3 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 411294-done@bugs.debian.org

Subject: fixed

From: Bastian Blank <waldi@debian.org>

Date: Fri, 15 Jun 2007 16:28:08 +0200

Message-id: <20070615142808.GB26270@wavehammer.waldi.eu.org>
Version: 2.6.21-1

Fixed in 2.6.21-rc2-git2.

Bastian

-- 
Each kiss is as the first.
		-- Miramanee, Kirk's wife, "The Paradise Syndrome",
		   stardate 4842.6
--- End Message ---

Reply to:

Prev by Date: Bug#391929: marked as done (hdparm/sata_promise kernel freeze on 2.6.18.2/amd64 when setting write_cache off)
Next by Date: Bug#366507: #366507
Previous by thread: Bug#391929: marked as done (hdparm/sata_promise kernel freeze on 2.6.18.2/amd64 when setting write_cache off)
Next by thread: Bug#366507: #366507
Index(es):
- Date
- Thread