From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Dec 22 20:10:46 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D99516A41F for ; Thu, 22 Dec 2005 20:10:46 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A75843D72 for ; Thu, 22 Dec 2005 20:10:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id jBMKACSc014136 for ; Thu, 22 Dec 2005 20:10:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id jBMKAC3U014135; Thu, 22 Dec 2005 20:10:12 GMT (envelope-from gnats) Resent-Date: Thu, 22 Dec 2005 20:10:12 GMT Resent-Message-Id: <200512222010.jBMKAC3U014135@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Christian Laursen Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC63916A41F for ; Thu, 22 Dec 2005 20:03:19 +0000 (GMT) (envelope-from xi@borderworlds.dk) Received: from ferengi.borderworlds.dk (ferengi.borderworlds.dk [80.166.152.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0071543D5C for ; Thu, 22 Dec 2005 20:03:18 +0000 (GMT) (envelope-from xi@borderworlds.dk) Received: from borg.borderworlds.dk (localhost [127.0.0.1]) by ferengi.borderworlds.dk (Postfix) with ESMTP id 574D8B838 for ; Thu, 22 Dec 2005 21:03:16 +0100 (CET) Received: by borg.borderworlds.dk (Postfix, from userid 1001) id E8C8D1147E; Thu, 22 Dec 2005 21:03:15 +0100 (CET) Message-Id: <20051222200315.E8C8D1147E@borg.borderworlds.dk> Date: Thu, 22 Dec 2005 21:03:15 +0100 (CET) From: Christian Laursen To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: ports/90819: [MAINTAINER] [SECURITY] net/nbd-server: fix buffer overflow bug X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Christian Laursen List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Dec 2005 20:10:46 -0000 >Number: 90819 >Category: ports >Synopsis: [MAINTAINER] [SECURITY] net/nbd-server: fix buffer overflow bug >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Thu Dec 22 20:10:11 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Christian Laursen >Release: FreeBSD 6.0-RELEASE i386 >Organization: The Border Worlds >Environment: System: FreeBSD borg.borderworlds.dk 6.0-RELEASE FreeBSD 6.0-RELEASE #1: Thu Nov 3 16:20:22 CET 2005 root@borg.borderworlds.dk:/usr/obj/usr/src/sys/BORG i386 >Description: The attached patch fixes a buffer overflow vulnerability and fixes building on FreeBSD 7.0. Furthermore nbd.h has been updated to a version from a newer Linux kernel. Requested by: remko >How-To-Repeat: >Fix: --- nbd-server.diff begins here --- diff -urN /usr/ports/net/nbd-server/Makefile nbd-server/Makefile --- /usr/ports/net/nbd-server/Makefile Thu Nov 17 16:07:21 2005 +++ nbd-server/Makefile Thu Dec 22 20:40:38 2005 @@ -7,6 +7,7 @@ PORTNAME= nbd-server PORTVERSION= 2.8.2 +PORTREVISION= 1 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= nbd @@ -25,13 +26,7 @@ PLIST_FILES= bin/nbd-server MAN1= nbd-server.1 -.include - -.if ${OSVERSION} >= 700000 -BROKEN= "GCC fails on FreeBSD >= 7.0" -.endif - post-extract: @${CP} ${FILESDIR}/nbd.h ${WRKSRC} -.include +.include diff -urN /usr/ports/net/nbd-server/files/nbd.h nbd-server/files/nbd.h --- /usr/ports/net/nbd-server/files/nbd.h Sat Jul 3 01:21:53 2004 +++ nbd-server/files/nbd.h Thu Dec 22 20:40:38 2005 @@ -8,6 +8,8 @@ * 2003/06/24 Louis D. Langholtz * Removed unneeded blksize_bits field from nbd_device struct. * Cleanup PARANOIA usage & code. + * 2004/02/19 Paul Clements + * Removed PARANOIA, plus various cleanup and comments */ #ifndef LINUX_NBD_H @@ -32,22 +34,19 @@ #define nbd_cmd(req) ((req)->cmd[0]) #define MAX_NBD 128 -/* Define PARANOIA to include extra sanity checking code in here & driver */ -#define PARANOIA - /* userspace doesn't need the nbd_device structure */ #ifdef __KERNEL__ +/* values for flags field */ +#define NBD_READ_ONLY 0x0001 +#define NBD_WRITE_NOCHK 0x0002 + struct nbd_device { int flags; int harderror; /* Code of hard error */ -#define NBD_READ_ONLY 0x0001 -#define NBD_WRITE_NOCHK 0x0002 struct socket * sock; struct file * file; /* If == NULL, device is not ready, yet */ -#ifdef PARANOIA - int magic; /* FIXME: not if debugging is off */ -#endif + int magic; spinlock_t queue_lock; struct list_head queue_head;/* Requests are added here... */ struct semaphore tx_lock; @@ -58,16 +57,14 @@ #endif -/* This now IS in some kind of include file... */ - -/* These are send over network in request/reply magic field */ +/* These are sent over the network in the request/reply magic fields */ #define NBD_REQUEST_MAGIC 0x25609513 #define NBD_REPLY_MAGIC 0x67446698 /* Do *not* use magics: 0x12560953 0x96744668. */ /* - * This is packet used for communication between client and + * This is the packet used for communication between client and * server. All data are in network byte order. */ struct nbd_request { @@ -82,6 +79,10 @@ #endif ; +/* + * This is the reply packet that nbd-server sends back to the client after + * it has completed an I/O request (or an error occurs). + */ struct nbd_reply { u32 magic; u32 error; /* 0 = ok, else error */ diff -urN /usr/ports/net/nbd-server/files/patch-nbd-server.c nbd-server/files/patch-nbd-server.c --- /usr/ports/net/nbd-server/files/patch-nbd-server.c Thu Jan 1 01:00:00 1970 +++ nbd-server/files/patch-nbd-server.c Thu Dec 22 20:40:38 2005 @@ -0,0 +1,26 @@ +diff -urN nbd-2.8.2.orig/nbd-server.c nbd-2.8.2/nbd-server.c +--- nbd-2.8.2.orig/nbd-server.c Wed Nov 9 22:38:44 2005 ++++ nbd-server.c Thu Dec 22 16:04:47 2005 +@@ -363,11 +363,11 @@ + * is severely wrong) + **/ + void sigchld_handler(int s) { +- int* status=NULL; ++ int status; + int* i; + pid_t pid; + +- while((pid=wait(status)) > 0) { ++ while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { + if(WIFEXITED(status)) { + msg3(LOG_INFO, "Child exited with %d", WEXITSTATUS(status)); + } +@@ -684,7 +684,7 @@ + + if (request.magic != htonl(NBD_REQUEST_MAGIC)) + err("Not enough magic."); +- if (len > BUFSIZE) ++ if (len > (BUFSIZE-sizeof(struct nbd_reply))) + err("Request too big!"); + #ifdef DODBG + printf("%s from %Lu (%Lu) len %d, ", request.type ? "WRITE" : --- nbd-server.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted: