--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libcapi20-3: buffer overflow in "printbuf" called from capi_cmsg2str
- From: John Hughes <john@Calva.COM>
- Date: Fri, 26 Jan 2007 16:34:32 +0100
- Message-id: <45BA1F88.1040609@Calva.COM>
Package: libcapi20-3
Version: 1:3.9.20060704-2.2
Severity: important
the bufprint routine used by capi_cmsg2str does an unbounded vsprintf
into a 8192 byte buffer, perhaps hoping it's big enough.
It isn't.
Looks like someone needs some vsnprintf like training wheels.
(around line 898 in "convert.c")
#4 0xb7c9e811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7c9ffb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6 0xb6bbf21c in bufprint (fmt=0xb6bc061f " %02x") at convert.c:910
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
#8 0xb6bbf34c in protocol_message_2_pars (cmsg=0xb69d4234, level=1) at
convert.c:1003
#9 0xb6bbf722 in capi_cmsg2str (cmsg=0xb69d4234) at convert.c:1045
#10 0xb6be4d16 in capidev_loop (data=0x0) at chan_capi.c:4051
#11 0x080ed2c0 in dummy_start (data=0x81e6ee8) at utils.c:545
#12 0xb7f16240 in start_thread () from
/lib/tls/i686/cmov/libpthread.so.0
#13 0xb7d4132e in clone () from /lib/tls/i686/cmov/libc.so.6
(gdb) frame 7
#7 0xb6bbf63f in protocol_message_2_pars (cmsg=0xb69d4234, level=2) at
convert.c:927
927 bufprint(" %02x", *m);
(gdb) p p - buf
$1 = 8194
(gdb) p *cmsg
$2 = {ApplId = 1, Command = 2 '\002', Subcommand = 130 '\202',
Messagenumber = 5019, adr = {adrController = 257,
adrPLCI = 257, adrNCCI = 257}, AdditionalInfo = CAPI_COMPOSE,
B1configuration = 0x0, B1protocol = 0,
B2configuration = 0x0, B2protocol = 0, B3configuration = 0x0,
B3protocol = 0, BC = 0xb6b4eb5e "\003\200\220�",
BChannelinformation = 0xb6b4eb67 "", BProtocol = CAPI_COMPOSE,
CalledPartyNumber = 0xb6b4eb5a "",
CalledPartySubaddress = 0xb6b4eb5c "", CallingPartyNumber = 0xb6b4eb5b
"", CallingPartySubaddress = 0xb6b4eb5d "",
CIPmask = 0, CIPmask2 = 0, CIPValue = 16, Class = 0, ConnectedNumber =
0x0, ConnectedSubaddress = 0x0, Data32 = 0,
Data64 = 0, DataHandle = 0, DataLength = 0,
FacilityConfirmationParameter = 0x0,
Facilitydataarray = 0xb6b4eb6a "", FacilityIndicationParameter = 0x0,
FacilityRequestParameter = 0x0,
FacilityResponseParameters = 0x0, FacilitySelector = 0, Flags = 0,
Function = 0, Globalconfiguration = 0x0,
HLC = 0xb6b4eb63 "\002\221\201\004", Info = 0, InfoElement = 0x0,
InfoMask = 0, InfoNumber = 0,
Keypadfacility = 0xb6b4eb68 "", LLC = 0xb6b4eb62 "", ManuData = 0x0,
ManuID = 0, NCPI = 0x0, Reason = 0,
Reason_B3 = 0, Reject = 0, Useruserdata = 0xb6b4eb69 "",
SendingComplete = 0xb6b4eb6b '�' <repeats 127 times>,
Data = 0x0, l = 31, p = 14, par = 0xb6bc0bbc
"\003\024\016\020\017\021\v)#\004\f(0\0342\001\001",
m = 0xb6b4eb4c "\037", buf = '\0' <repeats 179 times>}
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-jh-1
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libcapi20-3 depends on:
ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries
libcapi20-3 recommends no packages.
-- no debconf information
--- End Message ---