Description of problem: The Linux kernel is prone to an buffer overflow vulnerability. This issue is due to a design error in the 'isdn_net_setcfg()' function. There is a buffer overflow vulnerability in function isdn_net_setcfg(). At line 1413, in drivers/isdn/i4l/isdn_common.c the 'cfg' is read from user-space. so the 'cfg' is user-controlled. At line 1415, function isdn_net_setcfg() is invoked. The '&cfg' is passed to isdn_net_setcfg() as an argument. At line 2805 in drivers/isdn/il4/isdn_net.c, function strcpy() is invoked. The size of argument lp->msn is 32 and cfg->eaz is 256. Because the data of '*cfg' is user-controlled (so cfg->eaz is user-controlled), it's possible to overrun destination string lp->msn by string cfg->eaz. When the length of string 'cfg->eaz' is greater than 32, a buffer overflow will occur. This issue is public via: http://bugzilla.kernel.org/show_bug.cgi?id=9416
Proposed upstream patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=0f13864e5b24d9cbe18d125d41bfa4b726a82e40
Created attachment 312419 [details] Proposed backported patch for RHEL-3.9
Created attachment 312420 [details] Proposed backported patch for RHEL-2.1