From owner-freebsd-hackers  Mon Mar 13  3:34: 0 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from rina.r.dl.itc.u-tokyo.ac.jp (rina.r.dl.itc.u-tokyo.ac.jp [133.11.199.247])
	by hub.freebsd.org (Postfix) with ESMTP id 4ED8137B5FB
	for <freebsd-hackers@freebsd.org>; Mon, 13 Mar 2000 03:33:49 -0800 (PST)
	(envelope-from tanimura@r.dl.itc.u-tokyo.ac.jp)
Received: from rina.r.dl.itc.u-tokyo.ac.jp (tanimura@localhost [127.0.0.1])
	by rina.r.dl.itc.u-tokyo.ac.jp (8.9.3+3.2W/3.7W-rina.r-0.1-11.01.2000) with ESMTP/IPv4 id UAA28524;
	Mon, 13 Mar 2000 20:33:38 +0900 (JST)
Date: Mon, 13 Mar 2000 20:33:38 +0900
Message-ID: <14540.53778.434837.9786L@rina.r.dl.itc.u-tokyo.ac.jp>
From: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
To: freebsd-hackers@freebsd.org
Subject: buffer overflow in rtm_type_name() of routed(8)
Cc: Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp>
User-Agent: Wanderlust/1.0.3 (Notorious) SEMI/1.13.4 (Terai) FLIM/1.12.7
 (=?ISO-8859-4?Q?Y=FEzaki?=) MULE XEmacs/21.1 (patch 9) (Canyonlands)
 (i386--freebsd)
Organization: Digital Library Research Division, Information Techinology Centre, The University of Tokyo
MIME-Version: 1.0 (generated by SEMI 1.13.4 - "Terai")
Content-Type: multipart/mixed;
 boundary="Multipart_Mon_Mar_13_20:33:38_2000-1"
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

--Multipart_Mon_Mar_13_20:33:38_2000-1
Content-Type: text/plain; charset=US-ASCII

I had been experiencing routed(8) dumping core in about five minutes
after rebooting my box for several months. A string buffer in
rtm_type_name() of src/sbin/routed/table.c was overrun if the string
appropriate to the argument of rtm_type_name() was not found. The
router is a box running Solaris 2.6.

The following patch should fix this problem. With this patch routed(8)
in my box is running just fine for more than two days.


--Multipart_Mon_Mar_13_20:33:38_2000-1
Content-Type: text/plain; type=patch; charset=US-ASCII
Content-Disposition: attachment; filename="table.c.diff"
Content-Transfer-Encoding: 7bit

--- table.c.org	Fri Sep 17 03:50:10 1999
+++ table.c	Sat Mar 11 15:03:09 2000
@@ -617,6 +617,7 @@
 }
 
 
+#define NAME0_LEN 14
 static const char *
 rtm_type_name(u_char type)
 {
@@ -636,12 +637,12 @@
 		"RTM_DELADDR",
 		"RTM_IFINFO"
 	};
-	static char name0[10];
+	static char name0[NAME0_LEN];
 
 
 	if (type > sizeof(rtm_types)/sizeof(rtm_types[0])
 	    || type == 0) {
-		sprintf(name0, "RTM type %#x", type);
+		snprintf(name0, NAME0_LEN, "RTM type %#x", type);
 		return name0;
 	} else {
 		return rtm_types[type-1];

--Multipart_Mon_Mar_13_20:33:38_2000-1
Content-Type: text/plain; charset=US-ASCII



-- 
Seigo Tanimura <tanimura@r.dl.itc.u-tokyo.ac.jp> <tanimura@FreeBSD.org>

--Multipart_Mon_Mar_13_20:33:38_2000-1--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message