Description of problem:
The Linux kernel is prone to an buffer overflow vulnerability. This
issue is due to a design error in the 'isdn_net_setcfg()' function.
There is a buffer overflow vulnerability in function isdn_net_setcfg().
At line 1413, in drivers/isdn/i4l/isdn_common.c the 'cfg' is read from
user-space. so the 'cfg' is user-controlled. At line 1415, function
isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg()
as an argument.
At line 2805 in drivers/isdn/il4/isdn_net.c, function strcpy() is invoked. The
size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg'
is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun
destination string lp->msn by string cfg->eaz. When the length of string
'cfg->eaz' is greater than 32, a buffer overflow will occur.
This issue is public via:
http://bugzilla.kernel.org/show_bug.cgi?id=9416
Comment 9Eugene Teo (Security Response)
2008-07-23 04:17:59 UTC