Date: Mon, 13 Mar 2000 20:33:38 +0900 From: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> To: freebsd-hackers@freebsd.org Cc: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> Subject: buffer overflow in rtm_type_name() of routed(8) Message-ID: <14540.53778.434837.9786L@rina.r.dl.itc.u-tokyo.ac.jp>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --]
I had been experiencing routed(8) dumping core in about five minutes
after rebooting my box for several months. A string buffer in
rtm_type_name() of src/sbin/routed/table.c was overrun if the string
appropriate to the argument of rtm_type_name() was not found. The
router is a box running Solaris 2.6.
The following patch should fix this problem. With this patch routed(8)
in my box is running just fine for more than two days.
[-- Attachment #2 --]
--- table.c.org Fri Sep 17 03:50:10 1999
+++ table.c Sat Mar 11 15:03:09 2000
@@ -617,6 +617,7 @@
}
+#define NAME0_LEN 14
static const char *
rtm_type_name(u_char type)
{
@@ -636,12 +637,12 @@
"RTM_DELADDR",
"RTM_IFINFO"
};
- static char name0[10];
+ static char name0[NAME0_LEN];
if (type > sizeof(rtm_types)/sizeof(rtm_types[0])
|| type == 0) {
- sprintf(name0, "RTM type %#x", type);
+ snprintf(name0, NAME0_LEN, "RTM type %#x", type);
return name0;
} else {
return rtm_types[type-1];
[-- Attachment #3 --]
--
Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> <tanimura@FreeBSD.org>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14540.53778.434837.9786L>