From owner-freebsd-bugs@FreeBSD.ORG  Wed Jul  9 23:10:01 2008
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A454E106564A
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Jul 2008 23:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 777C78FC12
	for <freebsd-bugs@hub.freebsd.org>;
	Wed,  9 Jul 2008 23:10:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m69NA1AQ084387
	for <freebsd-bugs@freefall.freebsd.org>; Wed, 9 Jul 2008 23:10:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m69NA14Q084386;
	Wed, 9 Jul 2008 23:10:01 GMT (envelope-from gnats)
Resent-Date: Wed, 9 Jul 2008 23:10:01 GMT
Resent-Message-Id: <200807092310.m69NA14Q084386@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Dmitry Andrianov <666.root@gmail.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EEBE6106567D
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  9 Jul 2008 23:08:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id D3CD18FC1D
	for <freebsd-gnats-submit@FreeBSD.org>;
	Wed,  9 Jul 2008 23:08:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m69N8bGL054231
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 9 Jul 2008 23:08:37 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m69N8bDF054230;
	Wed, 9 Jul 2008 23:08:37 GMT (envelope-from nobody)
Message-Id: <200807092308.m69N8bDF054230@www.freebsd.org>
Date: Wed, 9 Jul 2008 23:08:37 GMT
From: Dmitry Andrianov <666.root@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: misc/125455: memcpy() integer buffer overflow
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jul 2008 23:10:01 -0000


>Number:         125455
>Category:       misc
>Synopsis:       memcpy() integer buffer overflow
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jul 09 23:10:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Dmitry Andrianov
>Release:        7.0-RELEASE
>Organization:
79.120.123.5
>Environment:
FreeBSD zingel.dubki.ru 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #3: Tue Jul  8 17:48:53 EEST 2008     beastie@zingel.dubki.ru:/usr/obj/usr/src/sys/BEASTIE  i386
>Description:
Hello.

I found out an error, at the use of the following code:


------
#define BUF_SIZE 1024

  int main (int argc, char* argv[])

   {

   int ouch;
   char buf[BUF_SIZE];
   ouch = atoi(argv[1]);

       if (ouch < BUF_SIZE ) {

         memcpy (buf, argv[2], ouch);

         }

         else
         printf("wow data!!!\n");

          }

----

error:

Segmentation fault: 11

gdb:

# gdb -c memcpy.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd".
Core was generated by `calloc'.
Program terminated with signal 11, Segmentation fault.
#0  0x28137b87 in ?? ()
(gdb) i r
eax            0x281627a0       672540576
ecx            0xbfbfeca0       -1077941088
edx            0xbfbfeca0       -1077941088
ebx            0x281637f8       672544760
esp            0xbfbfe810       0xbfbfe810
ebp            0xbfbfe838       0xbfbfe838
esi            0x0      0
edi            0x100    256
eip            0x28137b87       0x28137b87
eflags         0x10282  66178
cs             0x33     51
ss             0x3b     59
ds             0x3b     59
es             0x3b     59
fs             0x3b     59
gs             0x3b     59
(gdb)




Check, please.

Thank You.


>How-To-Repeat:
# gcc -o memcpy memcpy.c
memcpy.c: In function 'main':
memcpy.c:15: warning: incompatible implicit declaration of built-in function 'memcpy'
memcpy.c:20: warning: incompatible implicit declaration of built-in function 'printf'
#./memcpy
Segmentation fault: 11
#./memcpy 1024
wow data!!!


>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: