Bug 257281 - xisdnload - buffer overflow
xisdnload - buffer overflow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: isdn4k-utils (Show other bugs)
5.1
All All
high Severity high
: ---
: ---
Assigned To: Ngo Than
desktop-bugs@redhat.com
:
Depends On:
Blocks: 246139 296411
  Show dependency treegraph
 
Reported: 2007-08-27 14:21 EDT by Flavio Leitner
Modified: 2013-04-12 15:19 EDT (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2007-1075
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-12-05 09:04:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch fixing buffer overflow replacing sprintf with snprintf. (1.19 KB, patch)
2007-08-27 14:21 EDT, Flavio Leitner
no flags Details | Diff

  None (edit)
Description Flavio Leitner 2007-08-27 14:21:22 EDT
Description of problem:

The xisdnload crashs with the backstrace below:

# xisdnload&
[1] 3435
# *** buffer overflow detected ***: xisdnload terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xce9241]
/lib/libc.so.6[0xce8a58]
/lib/libc.so.6(_IO_default_xsputn+0xb4)[0xc6a554]
/lib/libc.so.6(_IO_padn+0xa8)[0xc5ee58]
/lib/libc.so.6(_IO_vfprintf+0x355a)[0xc469ba]
/lib/libc.so.6(__vsprintf_chk+0xad)[0xce8b0d]
/lib/libc.so.6(__sprintf_chk+0x30)[0xce8a40]
xisdnload[0x8049984]
/usr/lib/libXt.so.6(XtCallCallbacks+0x107)[0x10e767]
/usr/lib/libXaw.so.7[0x453ca0]
/usr/lib/libXt.so.6[0x128f62]
/usr/lib/libXt.so.6(XtAppNextEvent+0xb2)[0x1290a2]
/usr/lib/libXt.so.6(XtAppMainLoop+0x44)[0x11bec4]
xisdnload[0x804a467]
/lib/libc.so.6(__libc_start_main+0xdc)[0xc1ddec]
xisdnload[0x8048fa1]


Version-Release number of selected component (if applicable):
xisdnload-3.2-50.1

How reproducible:
Always

Steps to Reproduce:
Let it running for some time.
  
Actual results:
Crash by overflow

Expected results:
Not crash

Additional info:
I'm attaching a patch replacing sprintf with snprintf as that ISDN link 
status string can be larger than buffer allocated. 
This patch is tested and works.

-Flavio
Comment 1 Flavio Leitner 2007-08-27 14:21:23 EDT
Created attachment 174081 [details]
Patch fixing buffer overflow replacing sprintf with snprintf.
Comment 4 Josh Bressers 2007-08-28 14:49:19 EDT
I've investigated this crash and it doesn't look like it's a security flaw.  The
crash is the result of ISDN statistics being improperly copied into a static
buffer.  The statistics are not attacker controllable.
Comment 7 RHEL Product and Program Management 2007-08-31 05:03:03 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 errata-xmlrpc 2007-12-05 09:04:23 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-1075.html

Note You need to log in before you can comment on or make changes to this bug.