Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Mar 1999 12:57:54 +0900 (JST)
From:      futatuki@fureai.or.jp
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   kern/10765: buffer over run on msgrcv() system call
Message-ID:  <199903240357.MAA01108@sheep.adin.co.jp>
next in thread | raw e-mail | index | archive | help 


>Number:         10765
>Category:       kern
>Synopsis:       buffer over run on msgrcv() system call
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Mar 23 20:10:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Yasuhito FUTATSUKI
>Release:        FreeBSD 3.1-RELEASE i386
>Organization:
>Environment:
  FreeBSD 3.1-RELEASE i386 / FreeBSD 2.2.7-RELEASE i386 

>Description:

msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of
sage data than specified in msgsz when

  1. msgsz is larger than `msgssz', and
  2. msgsz is not multiples of `msgssz'

where msgssz is the size of message segment in bytes, which is
specified in kernel configration option MSGSSZ, the default is 8.

>How-To-Repeat:

Assume msgssz is 8, message que of id msgid is accessable,
a message of type msgtyp and size 20 bytes was sent, then

  struct {
    long mtype; 
    char mtext[20];
    long some_data; 
  } mymsg;

  msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0);

will crash mymsg.some_data .

>Fix:

*** sys/kern/sysv_msg.c.dist	Mon Mar 30 18:50:35 1998
--- sys/kern/sysv_msg.c	Wed Mar 24 10:52:34 1999
***************
*** 993,1002 ****
  	for (len = 0; len < msgsz; len += msginfo.msgssz) {
  		size_t tlen;
  
! 		if (msgsz > msginfo.msgssz)
  			tlen = msginfo.msgssz;
  		else
! 			tlen = msgsz;
  		if (next <= -1)
  			panic("next too low #3");
  		if (next >= msginfo.msgseg)
--- 993,1002 ----
  	for (len = 0; len < msgsz; len += msginfo.msgssz) {
  		size_t tlen;
  
! 		if (msgsz - len > msginfo.msgssz)
  			tlen = msginfo.msgssz;
  		else
! 			tlen = msgsz -len;
  		if (next <= -1)
  			panic("next too low #3");
  		if (next >= msginfo.msgseg)

>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903240357.MAA01108>