> Thanks to everybody who has helped with the Pentium bug fixing effort by
> testing. I hope you can find the time to check this (hopefully last) patch
> out,
Please add this patch to 2.0.32. It fixes a buffer overrun in the isdn code
that could be used to run arbitary code in kernel space as every user. Ugh.
-Andi
diff -u -u -r1.17 linux/drivers/isdn/isdn_tty.c
--- linux/drivers/isdn/isdn_tty.c 1997/09/20 22:58:58 1.17
+++ linux/drivers/isdn/isdn_tty.c 1997/11/16 12:46:35
@@ -2445,11 +2445,11 @@
* Get phone-number from modem-commandbuffer
*/
static void
-isdn_tty_getdial(char *p, char *q)
+isdn_tty_getdial(char *p, char *q,int cnt)
{
int first = 1;
- while (strchr("0123456789,#.*WPTS-", *p) && *p) {
+ while (strchr("0123456789,#.*WPTS-", *p) && *p && --cnt>0) {
if ((*p >= '0' && *p <= '9') || ((*p == 'S') && first))
*q++ = *p;
p++;
@@ -2589,7 +2589,7 @@
m->mdmreg[i], ((i + 1) % 10) ? " " : "\r\n");
isdn_tty_at_cout(rb, info);
}
- sprintf(rb, "\r\nEAZ/MSN: %s\r\n",
+ sprintf(rb, "\r\nEAZ/MSN: %.50s\r\n",
strlen(m->msn) ? m->msn : "None");
isdn_tty_at_cout(rb, info);
break;
@@ -3092,7 +3092,7 @@
break;
case 'D':
/* D - Dial */
- isdn_tty_getdial(++p, ds);
+ isdn_tty_getdial(++p, ds, sizeof ds);
p += strlen(p);
if (!strlen(m->msn))
isdn_tty_modem_result(10, info);