Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 257281

Summary: xisdnload - buffer overflow
Product: Red Hat Enterprise Linux 5 Reporter: Flavio Leitner <fleitner>
Component: isdn4k-utilsAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact: desktop-bugs <desktop-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 5.1CC: dmair, pknirsch, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: RHBA-2007-1075 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-12-05 14:04:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 246139, 296411    
Attachments:
Description Flags
Patch fixing buffer overflow replacing sprintf with snprintf. none

Description Flavio Leitner 2007-08-27 18:21:22 UTC
Description of problem:

The xisdnload crashs with the backstrace below:

# xisdnload&
[1] 3435
# *** buffer overflow detected ***: xisdnload terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xce9241]
/lib/libc.so.6[0xce8a58]
/lib/libc.so.6(_IO_default_xsputn+0xb4)[0xc6a554]
/lib/libc.so.6(_IO_padn+0xa8)[0xc5ee58]
/lib/libc.so.6(_IO_vfprintf+0x355a)[0xc469ba]
/lib/libc.so.6(__vsprintf_chk+0xad)[0xce8b0d]
/lib/libc.so.6(__sprintf_chk+0x30)[0xce8a40]
xisdnload[0x8049984]
/usr/lib/libXt.so.6(XtCallCallbacks+0x107)[0x10e767]
/usr/lib/libXaw.so.7[0x453ca0]
/usr/lib/libXt.so.6[0x128f62]
/usr/lib/libXt.so.6(XtAppNextEvent+0xb2)[0x1290a2]
/usr/lib/libXt.so.6(XtAppMainLoop+0x44)[0x11bec4]
xisdnload[0x804a467]
/lib/libc.so.6(__libc_start_main+0xdc)[0xc1ddec]
xisdnload[0x8048fa1]


Version-Release number of selected component (if applicable):
xisdnload-3.2-50.1

How reproducible:
Always

Steps to Reproduce:
Let it running for some time.
  
Actual results:
Crash by overflow

Expected results:
Not crash

Additional info:
I'm attaching a patch replacing sprintf with snprintf as that ISDN link 
status string can be larger than buffer allocated. 
This patch is tested and works.

-Flavio

Comment 1 Flavio Leitner 2007-08-27 18:21:23 UTC
Created attachment 174081 [details]
Patch fixing buffer overflow replacing sprintf with snprintf.

Comment 4 Josh Bressers 2007-08-28 18:49:19 UTC
I've investigated this crash and it doesn't look like it's a security flaw.  The
crash is the result of ISDN statistics being improperly copied into a static
buffer.  The statistics are not attacker controllable.

Comment 7 RHEL Program Management 2007-08-31 09:03:03 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 16 errata-xmlrpc 2007-12-05 14:04:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-1075.html