Date: Tue, 13 Apr 1999 18:19:47 -0600 (MDT) From: Stephen Clawson <sclawson@cs.utah.edu> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/11122: ypserv dumps core: bad length given to a strncmp in yp_next_record. Message-ID: <199904140019.SAA17132@ibapah.cs.utah.edu>
next in thread | raw e-mail | index | archive | help
>Number: 11122
>Category: bin
>Synopsis: ypserv dumps core: bad length given to a strncmp in yp_next_record.
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Apr 13 17:20:00 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator: Stephen Clawson
>Release: FreeBSD 3.0-CURRENT i386 (jan 27, 1999)
>Organization:
University of Utah
>Environment:
A dual PII/350 running FreeBSD 3.0-CURRENT as of jan 27, 1999, acting
as a yp slave for a group of 40+ machines running FreeBSD, NetBSD and
Linux.
It's the same set-up from bin/10970 and bin/10971.
>Description:
There's a bug yp_dblookup.c:yp_next_record(). The key passed
in to yp_next_record is compared against all the keys in the database
using strncmp. However, the length given to strncmp is the size of
the first key, so if the second key is shorter and happens to be
aligned in memory so that accessing past the end of it hits
unallocated memory ypserv will core dump.
The sad thing is that there's a check to see if they key lengths
don't match, but it's _after_ the strncmp. =( Swapping their places
nicely fixes the problem.
>How-To-Repeat:
Run a yp server with a decent number of machines.
>Fix:
diff -c -r1.15 yp_dblookup.c
*** yp_dblookup.c 1998/02/11 19:15:32 1.15
--- yp_dblookup.c 1999/04/13 23:51:44
***************
*** 615,622 ****
if (qhead.cqh_first->dbptr->key == NULL) {
#endif
(dbp->seq)(dbp,&lkey,&ldata,R_FIRST);
! while(strncmp((char *)key->data,lkey.data,
! (int)key->size) || key->size != lkey.size)
if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) {
#ifdef DB_CACHE
qhead.cqh_first->dbptr->size = 0;
--- 615,623 ----
if (qhead.cqh_first->dbptr->key == NULL) {
#endif
(dbp->seq)(dbp,&lkey,&ldata,R_FIRST);
! while (key->size != lkey.size ||
! strncmp((char *)key->data,lkey.data,
! (int)key->size))
if ((dbp->seq)(dbp,&lkey,&ldata,R_NEXT)) {
#ifdef DB_CACHE
qhead.cqh_first->dbptr->size = 0;
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199904140019.SAA17132>