From owner-freebsd-current@FreeBSD.ORG  Sun Apr 20 01:15:45 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id EDF8437B401; Sun, 20 Apr 2003 01:15:45 -0700 (PDT)
Received: from smtp.web.de (smtp02.web.de [217.72.192.151])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 06AC743F75; Sun, 20 Apr 2003 01:15:45 -0700 (PDT)
	(envelope-from sebastian.ssmoller@web.de)
Received: from [213.7.184.1] (helo=Bb801.pppool.de)
	by smtp.web.de with esmtp (WEB.DE(Exim) 4.97 #53)
	id 1979zC-0000CC-00; Sun, 20 Apr 2003 10:15:43 +0200
From: Sebastian Ssmoller <sebastian.ssmoller@web.de>
To: Kris Kennaway <kris@obsecurity.org>
In-Reply-To: <20030420032303.GA25568@rot13.obsecurity.org>
References: <20030420032303.GA25568@rot13.obsecurity.org>
Content-Type: multipart/mixed; boundary="=-XA6NYroOTWFV5e7PSWA6"
X-Mailer: Ximian Evolution 1.0.8-3mdk 
Date: 20 Apr 2003 10:16:23 +0200
Message-Id: <1050826585.2052.12.camel@hadriel>
Mime-Version: 1.0
Sender: sebastian.ssmoller@web.de
X-Content-Filtered-By: Mailman/MimeDel 2.1.1
cc: FreeBSD-audit <audit@freebsd.org>
cc: current@FreeBSD.org
Subject: Re: Buffer overflow in disklabel
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Apr 2003 08:15:46 -0000


--=-XA6NYroOTWFV5e7PSWA6
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Hi,
I attached a patch for that problem. Can someone have a look at it?

But one thing is still unclear to me: Why do we need 8k buffer for the
disk name? 

seb

Am Son, 2003-04-20 um 05.23 schrieb Kris Kennaway:
> Run the following under /bin/sh (not tcsh, which - still! - has a bug
> that causes the command to hang tcsh):
> 
> # disklabel `perl -e 'print "a"x51200'`
> Segmentation fault (core dumped)
> 
> The responsible code is:
> 
>         dkname = argv[0];
>         if (dkname[0] != '/') {
>                 (void)sprintf(np, "%s%s%c", _PATH_DEV, dkname, 'a' + RAW_PART);
>                 specname = np;
>                 np += strlen(specname) + 1;
>         } else
>                 specname = dkname;
>         f = open(specname, op == READ ? O_RDONLY : O_RDWR);
>         if (f < 0 && errno == ENOENT && dkname[0] != '/') {
>                 (void)sprintf(specname, "%s%s", _PATH_DEV, dkname);
>                 np = namebuf + strlen(specname) + 1;
>                 f = open(specname, op == READ ? O_RDONLY : O_RDWR);
>         }
> 
> i.e. overflowing an 8k buffer.  Does anyone feel like fixing it?
> 
> Kris


--=-XA6NYroOTWFV5e7PSWA6--