1
linux/drivers/isdn
Steven Rostedt 4448008eb1 isdn: icn: Fix stack corruption bug.
Running randconfig with ktest.pl I hit this bug:

[   16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000
[   16.106376] icn: (line0) ICN-2B, port 0x320 added
[   16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880
[   16.111066] 
[   16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3f #8
[   16.128499] Call Trace:
[   16.130942]  [<c0f51662>] ? printk+0x1d/0x23
[   16.135200]  [<c0f5153f>] panic+0x5c/0x162
[   16.139286]  [<c0d62a9a>] ? icn_addcard+0x6d/0xbe
[   16.143975]  [<c0445783>] print_tainted+0x0/0x8c
[   16.148582]  [<c1642880>] ? icn_init+0xd8/0xdf
[   16.153012]  [<c1642880>] icn_init+0xd8/0xdf
[   16.157271]  [<c04012e5>] do_one_initcall+0x8c/0x143
[   16.162222]  [<c16427a8>] ? icn_init+0x0/0xdf
[   16.166566]  [<c15f1a05>] kernel_init+0x13f/0x1da
[   16.171256]  [<c15f18c6>] ? kernel_init+0x0/0x1da
[   16.175945]  [<c0403bfe>] kernel_thread_helper+0x6/0x10
[   16.181181] panic occurred, switching back to text console

Looking into it I found that the stack was corrupted by the assignment
of the Rev #. The variable rev is given 10 bytes, and in this output the
characters that were copied was: " 1.65.6.8 $". Which was 11 characters
plus the null ending character for a total of 12 bytes, thus corrupting
the stack.

This patch ups the variable size to 20 bytes as well as changes the
strcpy to strncpy. I also added a check to make sure '$' is found.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-11-24 11:19:05 -08:00
..
act2000 isdn: Free irq_data namespace 2010-10-04 11:00:55 +02:00
capi convert get_sb_single() users 2010-10-29 04:16:28 -04:00
divert isdn: potential buffer overflows 2010-09-06 18:29:18 -07:00
gigaset isdn/gigaset: improve bas_gigaset USB error reporting 2010-10-01 00:33:37 -07:00
hardware drivers/isdn: delete double assignment 2010-10-27 12:23:21 -07:00
hisax trivial: fix typos concerning "function" 2010-11-01 06:38:12 -07:00
hysdn drivers: isdn: remove custom strtoul() 2010-07-15 19:05:25 -07:00
i4l Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2010-10-24 13:41:39 -07:00
icn isdn: icn: Fix stack corruption bug. 2010-11-24 11:19:05 -08:00
isdnloop include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
mISDN isdn: mISDN: socket: fix information leak to userland 2010-10-30 16:49:38 -07:00
pcbit drivers/isdn: Use static const char * const where possible 2010-09-14 20:22:02 -07:00
sc isdn: strcpy() => strlcpy() 2010-10-08 10:21:22 -07:00
Kconfig isdn: fix a few Kconfig imperfections 2010-02-22 15:45:53 -08:00
Makefile