[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE Request - Incomplete dahdi/zaptel tor2.c patch for
From: Jan Lieskovsky <jlieskov () redhat ! com>
Date: 2008-12-19 13:32:12
Message-ID: 1229693532.19341.23.camel () iankko ! englab ! brq ! redhat ! com
[Download RAW message or body]
Hello Steve,
Eugene Teo has discovered the tor2 upstream
patch for CVE-2008-5396 was incomplete.
http://bugs.digium.com/file_download.php?file_id=20796&type=bug
We were checking if lc->sync is in range of 0-63
kernel/tor2.c:#define MAX_TOR_CARDS 64, but then
lately in the code we used:
zaptel/kernel/tor2.c:
216 /* if a sync src, put it in the proper place */
217 if (lc->sync) {
218 p->tor->syncs[lc->sync - 1] = span->spanno;
219 p->tor->psyncs[lc->sync - 1] = p->span + 1;
220 }
The problem is 'syncs/psyncs' is defined as array with only 4 items (from zaptel/kernel/tor2.c)
79 struct tor2 {
80 /* This structure exists one per card */
81 struct pci_dev *pci; /* Pointer to PCI device */
82 int num; /* Which card we are */
83 int syncsrc; /* active sync source */
84 int syncs[SPANS_PER_CARD]; /* sync sources */
85 int psyncs[SPANS_PER_CARD]; /* span-relative sync sources */
where 'SPANS_PER_CARD' is defined as:
tor2.c:#define SPANS_PER_CARD 4
so the array index would overflow.
References:
==========
http://bugs.digium.com/view.php?id=13954
http://bugs.digium.com/file_download.php?file_id=20796&type=bug (original tor2 CVE-2008-5396 patch)
http://bugs.digium.com/view.php?id=13954#96700
https://bugzilla.redhat.com/show_bug.cgi?id=475446#c4
Patch: Upstream has already released patch for this issue available at:
=====
http://svn.digium.com/view/dahdi?view=rev&revision=5590
Credit for discovering this issue goes to Eugene Teo.
=====
Could you please allocate a CVE id for this issue?
Thanks, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic