The command_2_index() function is buggy and leads to a buffer overflow. Does anyone know how to fix this? drivers/isdn/capi/capiutil.c 403 static unsigned command_2_index(unsigned c, unsigned sc) 404 { 405 if (c & 0x80) 406 c = 0x9 + (c & 0x0f); 407 else if (c <= 0x0f); 408 else if (c == 0x41) 409 c = 0x9 + 0x1; 410 else if (c == 0xff) 411 c = 0x00; 412 return (sc & 3) * (0x9 + 0x9) + c; 413 } Imagine that we input c = 0x7f and sc = 0x3. Then 3 * 18 + 127 = 181 and we return 181. The other thing that stands out to me is that the last condition "(c == 0xff)" is never true because then the first condition "(c & 0x80)" would have been true already. Here is how the function is used: drivers/isdn/capi/capiutil.c 564 /** 565 * capi_message2cmsg() - disassemble CAPI 2.0 message into _cmsg structure 566 * @cmsg: _cmsg structure 567 * @msg: buffer for assembled message 568 * 569 * Return value: 0 for success 570 */ 571 572 unsigned capi_message2cmsg(_cmsg *cmsg, u8 *msg) 573 { 574 memset(cmsg, 0, sizeof(_cmsg)); 575 cmsg->m = msg; 576 cmsg->l = 8; 577 cmsg->p = 0; 578 byteTRcpy(cmsg->m + 4, &cmsg->Command); 579 byteTRcpy(cmsg->m + 5, &cmsg->Subcommand); 580 cmsg->par = cpars[command_2_index(cmsg->Command, cmsg->Subcommand)]; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ cpars = is a 79 element array. cmsg->Command and cmsg->Subcommand come from skb->data so we can't trust them. 181 is past the end of the 79 element array. 581 582 message_2_pars(cmsg); 583 584 wordTRcpy(msg + 0, &cmsg->l); 585 wordTRcpy(cmsg->m + 2, &cmsg->ApplId); 586 wordTRcpy(cmsg->m + 6, &cmsg->Messagenumber); 587 588 return 0; 589 } regards, dan carpenter -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html