Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Dec 2005 21:03:15 +0100 (CET)
From:      Christian Laursen <xi@borderworlds.dk>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/90819: [MAINTAINER] [SECURITY] net/nbd-server: fix buffer overflow bug 
Message-ID:  <20051222200315.E8C8D1147E@borg.borderworlds.dk>
Resent-Message-ID: <200512222010.jBMKAC3U014135@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         90819
>Category:       ports
>Synopsis:       [MAINTAINER] [SECURITY] net/nbd-server: fix buffer overflow bug
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 22 20:10:11 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Christian Laursen
>Release:        FreeBSD 6.0-RELEASE i386
>Organization:
The Border Worlds 
>Environment:
System: FreeBSD borg.borderworlds.dk 6.0-RELEASE FreeBSD 6.0-RELEASE #1: Thu Nov 3 16:20:22 CET 2005 root@borg.borderworlds.dk:/usr/obj/usr/src/sys/BORG i386


	
>Description:
The attached patch fixes a buffer overflow vulnerability and fixes building on
FreeBSD 7.0. Furthermore nbd.h has been updated to a version from a newer
Linux kernel.

Requested by: remko
	
>How-To-Repeat:
	
>Fix:

	

--- nbd-server.diff begins here ---
diff -urN /usr/ports/net/nbd-server/Makefile nbd-server/Makefile
--- /usr/ports/net/nbd-server/Makefile	Thu Nov 17 16:07:21 2005
+++ nbd-server/Makefile	Thu Dec 22 20:40:38 2005
@@ -7,6 +7,7 @@
 
 PORTNAME=	nbd-server
 PORTVERSION=	2.8.2
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	nbd
@@ -25,13 +26,7 @@
 PLIST_FILES=	bin/nbd-server
 MAN1=		nbd-server.1
 
-.include <bsd.port.pre.mk>
-
-.if ${OSVERSION} >= 700000
-BROKEN=		"GCC fails on FreeBSD >= 7.0"
-.endif
-
 post-extract:
 	@${CP} ${FILESDIR}/nbd.h ${WRKSRC}
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff -urN /usr/ports/net/nbd-server/files/nbd.h nbd-server/files/nbd.h
--- /usr/ports/net/nbd-server/files/nbd.h	Sat Jul  3 01:21:53 2004
+++ nbd-server/files/nbd.h	Thu Dec 22 20:40:38 2005
@@ -8,6 +8,8 @@
  * 2003/06/24 Louis D. Langholtz <ldl@aros.net>
  *            Removed unneeded blksize_bits field from nbd_device struct.
  *            Cleanup PARANOIA usage & code.
+ * 2004/02/19 Paul Clements
+ *            Removed PARANOIA, plus various cleanup and comments
  */
 
 #ifndef LINUX_NBD_H
@@ -32,22 +34,19 @@
 #define nbd_cmd(req) ((req)->cmd[0])
 #define MAX_NBD 128
 
-/* Define PARANOIA to include extra sanity checking code in here & driver */
-#define PARANOIA
-
 /* userspace doesn't need the nbd_device structure */
 #ifdef __KERNEL__
 
+/* values for flags field */
+#define NBD_READ_ONLY 0x0001
+#define NBD_WRITE_NOCHK 0x0002
+
 struct nbd_device {
 	int flags;
 	int harderror;		/* Code of hard error			*/
-#define NBD_READ_ONLY 0x0001
-#define NBD_WRITE_NOCHK 0x0002
 	struct socket * sock;
 	struct file * file; 	/* If == NULL, device is not ready, yet	*/
-#ifdef PARANOIA
-	int magic;		/* FIXME: not if debugging is off	*/
-#endif
+	int magic;
 	spinlock_t queue_lock;
 	struct list_head queue_head;/* Requests are added here...	*/
 	struct semaphore tx_lock;
@@ -58,16 +57,14 @@
 
 #endif
 
-/* This now IS in some kind of include file...	*/
-
-/* These are send over network in request/reply magic field */
+/* These are sent over the network in the request/reply magic fields */
 
 #define NBD_REQUEST_MAGIC 0x25609513
 #define NBD_REPLY_MAGIC 0x67446698
 /* Do *not* use magics: 0x12560953 0x96744668. */
 
 /*
- * This is packet used for communication between client and
+ * This is the packet used for communication between client and
  * server. All data are in network byte order.
  */
 struct nbd_request {
@@ -82,6 +79,10 @@
 #endif
 ;
 
+/*
+ * This is the reply packet that nbd-server sends back to the client after
+ * it has completed an I/O request (or an error occurs).
+ */
 struct nbd_reply {
 	u32 magic;
 	u32 error;		/* 0 = ok, else error	*/
diff -urN /usr/ports/net/nbd-server/files/patch-nbd-server.c nbd-server/files/patch-nbd-server.c
--- /usr/ports/net/nbd-server/files/patch-nbd-server.c	Thu Jan  1 01:00:00 1970
+++ nbd-server/files/patch-nbd-server.c	Thu Dec 22 20:40:38 2005
@@ -0,0 +1,26 @@
+diff -urN nbd-2.8.2.orig/nbd-server.c nbd-2.8.2/nbd-server.c
+--- nbd-2.8.2.orig/nbd-server.c	Wed Nov  9 22:38:44 2005
++++ nbd-server.c	Thu Dec 22 16:04:47 2005
+@@ -363,11 +363,11 @@
+  * is severely wrong)
+  **/
+ void sigchld_handler(int s) {
+-        int* status=NULL;
++        int status;
+ 	int* i;
+ 	pid_t pid;
+ 
+-	while((pid=wait(status)) > 0) {
++	while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
+ 		if(WIFEXITED(status)) {
+ 			msg3(LOG_INFO, "Child exited with %d", WEXITSTATUS(status));
+ 		}
+@@ -684,7 +684,7 @@
+ 
+ 		if (request.magic != htonl(NBD_REQUEST_MAGIC))
+ 			err("Not enough magic.");
+-		if (len > BUFSIZE)
++		if (len > (BUFSIZE-sizeof(struct nbd_reply)))
+ 			err("Request too big!");
+ #ifdef DODBG
+ 		printf("%s from %Lu (%Lu) len %d, ", request.type ? "WRITE" :
--- nbd-server.diff ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051222200315.E8C8D1147E>