Date: Fri, 11 Apr 1997 20:48:51 +0900 (JST) From: kato@eclogite.eps.nagoya-u.ac.jp To: FreeBSD-gnats-submit@freebsd.org Subject: kern/3255: cn_pnbuf overflow Message-ID: <199704111148.UAA00718@gneiss.eps.nagoya-u.ac.jp> Resent-Message-ID: <199704111150.EAA12773@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 3255 >Category: kern >Synopsis: cn_pnbuf in union_vn_create overflow >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 11 04:50:00 PDT 1997 >Last-Modified: >Originator: KATO Takenori >Organization: Dept. Earth Planet. Sci, Nagoya Univ. >Release: FreeBSD 2.2-STABLE i386 >Environment: >Description: Though malloc allocates only cn.cn_namelen bytes for cn.cn_pnbuf in union_vn_create(), following bcopy copies cn.cn_namlen + 1 bytes to cn.cn_pnbuf. >How-To-Repeat: >Fix: Obtained from: NetBSD/pc98 Following patch is generated from RELENG_2_2 branch, problem exist also in 3.0-current. *** union_subr.c.ORIG Fri Apr 11 20:34:55 1997 --- union_subr.c Fri Apr 11 20:35:16 1997 *************** *** 660,666 **** * copied in the first place). */ cn.cn_namelen = strlen(un->un_path); ! cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen, M_NAMEI, M_WAITOK); bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1); cn.cn_nameiop = CREATE; cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN); --- 660,666 ---- * copied in the first place). */ cn.cn_namelen = strlen(un->un_path); ! cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen+1, M_NAMEI, M_WAITOK); bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1); cn.cn_nameiop = CREATE; cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN); >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199704111148.UAA00718>