oss-sec mailing list archives
CVE Request - Incomplete dahdi/zaptel tor2.c patch for CVE-2008-5396
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 19 Dec 2008 14:32:12 +0100
Hello Steve, Eugene Teo has discovered the tor2 upstream patch for CVE-2008-5396 was incomplete. http://bugs.digium.com/file_download.php?file_id=20796&type=bug We were checking if lc->sync is in range of 0-63 kernel/tor2.c:#define MAX_TOR_CARDS 64, but then lately in the code we used: zaptel/kernel/tor2.c: 216 /* if a sync src, put it in the proper place */ 217 if (lc->sync) { 218 p->tor->syncs[lc->sync - 1] = span->spanno; 219 p->tor->psyncs[lc->sync - 1] = p->span + 1; 220 } The problem is 'syncs/psyncs' is defined as array with only 4 items (from zaptel/kernel/tor2.c) 79 struct tor2 { 80 /* This structure exists one per card */ 81 struct pci_dev *pci; /* Pointer to PCI device */ 82 int num; /* Which card we are */ 83 int syncsrc; /* active sync source */ 84 int syncs[SPANS_PER_CARD]; /* sync sources */ 85 int psyncs[SPANS_PER_CARD]; /* span-relative sync sources */ where 'SPANS_PER_CARD' is defined as: tor2.c:#define SPANS_PER_CARD 4 so the array index would overflow. References: ========== http://bugs.digium.com/view.php?id=13954 http://bugs.digium.com/file_download.php?file_id=20796&type=bug (original tor2 CVE-2008-5396 patch) http://bugs.digium.com/view.php?id=13954#96700 https://bugzilla.redhat.com/show_bug.cgi?id=475446#c4 Patch: Upstream has already released patch for this issue available at: ===== http://svn.digium.com/view/dahdi?view=rev&revision=5590 Credit for discovering this issue goes to Eugene Teo. ===== Could you please allocate a CVE id for this issue? Thanks, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request - Incomplete dahdi/zaptel tor2.c patch for CVE-2008-5396 Jan Lieskovsky (Dec 19)