Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Aug 1998 13:37:21 +0200 (CEST)
From:      hm@kts.org
To:        FreeBSD-gnats-submit@FreeBSD.ORG
Subject:   kern/7556: potential sl_compress_init problem in slcompress.c and if_ppp.c
Message-ID:  <m0z5qGP-000029C@bert.kts.org>
next in thread | raw e-mail | index | archive | help 


>Number:         7556
>Category:       kern
>Synopsis:       sl_compress_init() will fail if called anything else than -1 or >MAX_STATE
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 10 05:10:00 PDT 1998
>Last-Modified:
>Originator:     Hellmuth Michaelis
>Organization:
Kitchen Table Systems
>Release:        FreeBSD 2.2.6-RELEASE i386
>Environment:

In environments where Van Jacobsen header compression is needed and the
compression routines in slcompress.c are used for this purpose. This 
report is based on sources from FreeBSD 2.2.5 and 2.2.6.

>Description:

The subroutine sl_compress_init(comp, max_state) in slcompress.c at least
implies, that the state table can be changed to any value dynamically if
called with some appropriate value for max_state.

This is not true, because the corresponding table is initialized by the
hardcoded MAX_STATES value in the header file slcompress.h.

Calling sl_compress_init() with a value greater than MAX_STATES will cause
cause writing outside the slcompress structure - bad things happen.

sl_compress_init() is currently used like this in the kernel PPP driver,
if_ppp.c:

#ifdef VJC
    case PPPIOCSMAXCID:
        if (error = suser(p->p_ucred, &p->p_acflag))
            return (error);
        s = splnet();
        sl_compress_init(&sc->sc_comp, *(int *)data);
        splx(s);
        break;
#endif

in this case, if this ioctl routine is ever issued with a value other
than -1 or with a value greater MAX_STATES, random writes into other
unknown data structures will occur!

>How-To-Repeat:

Call sl_compress_init() with a max_state value of i.e. 64. (Caution:
make a backup before doing this!).

>Fix:

Immediately disable the usage of any parameter for max_state other than
-1 now!

For the future, make the tstate and rstate structures in struct slcompress
resize dynamically so sl_compress_init() is able to do what it should be
able to do.

>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0z5qGP-000029C>