From owner-freebsd-security  Sun Feb 17 22:16:40 2002
Delivered-To: freebsd-security@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id 86CBC37B405
	for <security@freebsd.org>; Sun, 17 Feb 2002 22:16:38 -0800 (PST)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.11.6/8.9.1) id g1I6Gc511474;
	Sun, 17 Feb 2002 22:16:38 -0800 (PST)
	(envelope-from dillon)
Date: Sun, 17 Feb 2002 22:16:38 -0800 (PST)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200202180616.g1I6Gc511474@apollo.backplane.com>
To: security@freebsd.org
Subject: security bug / kernel tty buffer overflow
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

    Neelkanth Natu posted this message on hackers.

    There are two places in kern/tty_pty.c that test ICANON against
    tp->t_iflag instead of tp->t_lflag.  I have comitted a fix to
    -current with a 3-day MFC to -stable.  This should probably go
    into the security branch at some point.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>

:From:     Neelkanth Natu <neelnatu@yahoo.com>
:Subject:  bug in ptcwrite()
:To:       freebsd-hackers@FreeBSD.ORG
:Date:     Sun, 17 Feb 2002 13:52:40 -0800 (PST)
:
:Hi,
:
:The following code in ptcwrite() in kern/tty_pty.c is supposed to prevent 
:the tty input buffer overflow (for certain cases):
:
:   612	if ((tp->t_rawq.c_cc + tp->t_canq.c_cc) >= TTYHOG - 2 &&
:   613	   (tp->t_canq.c_cc > 0 || !(tp->t_iflag&ICANON))) {
:   614		wakeup(TSA_HUP_OR_INPUT(tp));
:   615		goto block;
:   616	}
:
:But the ICANON flag is set in tp->t_lflag and not tp->t_iflag. The ICRNL flag
:in tp->t_iflag has the same value as the ICANON flag in tp->t_lflag (0x100).
:This leads to input buffer overflow as soon as the ICRNL bit is set in 
:tp->t_iflag, and there are more than 1024 characters that telnet/ssh wants 
:to write to the pty.
:
:I discovered this problem when using libreadline because it changes the 
:terminal settings every time it is begins/finishes reading a line.
:
:Has anyone else seen a similar problem ? I saw identical behavior on NetBSD
:too. Please CC me as I am not on the mailing list.
:
:thanks
:Neel

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message