From owner-freebsd-bugs Fri Apr 11 04:50:03 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA12779 for bugs-outgoing; Fri, 11 Apr 1997 04:50:03 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA12773; Fri, 11 Apr 1997 04:50:01 -0700 (PDT) Resent-Date: Fri, 11 Apr 1997 04:50:01 -0700 (PDT) Resent-Message-Id: <199704111150.EAA12773@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, kato@eclogite.eps.nagoya-u.ac.jp Received: from gneiss.eps.nagoya-u.ac.jp (gneiss.eps.nagoya-u.ac.jp [133.6.57.99]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id EAA12731 for ; Fri, 11 Apr 1997 04:48:58 -0700 (PDT) Received: (from kato@localhost) by gneiss.eps.nagoya-u.ac.jp (8.8.5/3.4W4) id UAA00718; Fri, 11 Apr 1997 20:48:51 +0900 (JST) Message-Id: <199704111148.UAA00718@gneiss.eps.nagoya-u.ac.jp> Date: Fri, 11 Apr 1997 20:48:51 +0900 (JST) From: kato@eclogite.eps.nagoya-u.ac.jp Reply-To: kato@eclogite.eps.nagoya-u.ac.jp To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/3255: cn_pnbuf overflow Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 3255 >Category: kern >Synopsis: cn_pnbuf in union_vn_create overflow >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Apr 11 04:50:00 PDT 1997 >Last-Modified: >Originator: KATO Takenori >Organization: Dept. Earth Planet. Sci, Nagoya Univ. >Release: FreeBSD 2.2-STABLE i386 >Environment: >Description: Though malloc allocates only cn.cn_namelen bytes for cn.cn_pnbuf in union_vn_create(), following bcopy copies cn.cn_namlen + 1 bytes to cn.cn_pnbuf. >How-To-Repeat: >Fix: Obtained from: NetBSD/pc98 Following patch is generated from RELENG_2_2 branch, problem exist also in 3.0-current. *** union_subr.c.ORIG Fri Apr 11 20:34:55 1997 --- union_subr.c Fri Apr 11 20:35:16 1997 *************** *** 660,666 **** * copied in the first place). */ cn.cn_namelen = strlen(un->un_path); ! cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen, M_NAMEI, M_WAITOK); bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1); cn.cn_nameiop = CREATE; cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN); --- 660,666 ---- * copied in the first place). */ cn.cn_namelen = strlen(un->un_path); ! cn.cn_pnbuf = (caddr_t) malloc(cn.cn_namelen+1, M_NAMEI, M_WAITOK); bcopy(un->un_path, cn.cn_pnbuf, cn.cn_namelen+1); cn.cn_nameiop = CREATE; cn.cn_flags = (LOCKPARENT|HASBUF|SAVENAME|SAVESTART|ISLASTCN); >Audit-Trail: >Unformatted: