From owner-freebsd-bugs Mon Aug 10 05:10:15 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA29717 for freebsd-bugs-outgoing; Mon, 10 Aug 1998 05:10:15 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA29633 for ; Mon, 10 Aug 1998 05:10:04 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id FAA18342; Mon, 10 Aug 1998 05:10:00 -0700 (PDT) Received: from mail.ppp.net (mail.ppp.net [194.64.12.35]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA28715 for ; Mon, 10 Aug 1998 05:02:23 -0700 (PDT) (envelope-from ernie!bert.kts.org!hm@ppp.net) Received: from casparc.ppp.net (casparc2.ppp.net [194.64.12.42]) by mail.ppp.net (8.8.8/8.8.8) with SMTP id OAA06028 for ; Mon, 10 Aug 1998 14:02:02 +0200 Received: from ernie by casparc.ppp.net with uucp (Smail3.1.28.1 #1) id m0z5qeH-002ZjZC; Mon, 10 Aug 98 14:02 MET DST Received: from bert.kts.org(really [194.55.156.2]) by ernie.kts.org via sendmail with smtp id for ; Mon, 10 Aug 1998 13:43:51 +0200 (CEST) (Smail-3.2.0.91 1997-Jan-14 #3 built 1998-Feb-14) Received: by bert.kts.org via sendmail with stdio id for FreeBSD-gnats-submit@freebsd.org; Mon, 10 Aug 1998 13:37:21 +0200 (CEST) (Smail-3.2.0.94 1997-Apr-22 #1 built 1998-Jun-6) Message-Id: Date: Mon, 10 Aug 1998 13:37:21 +0200 (CEST) From: hm@kts.org Reply-To: hm@kts.org To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: kern/7556: potential sl_compress_init problem in slcompress.c and if_ppp.c Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7556 >Category: kern >Synopsis: sl_compress_init() will fail if called anything else than -1 or >MAX_STATE >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 10 05:10:00 PDT 1998 >Last-Modified: >Originator: Hellmuth Michaelis >Organization: Kitchen Table Systems >Release: FreeBSD 2.2.6-RELEASE i386 >Environment: In environments where Van Jacobsen header compression is needed and the compression routines in slcompress.c are used for this purpose. This report is based on sources from FreeBSD 2.2.5 and 2.2.6. >Description: The subroutine sl_compress_init(comp, max_state) in slcompress.c at least implies, that the state table can be changed to any value dynamically if called with some appropriate value for max_state. This is not true, because the corresponding table is initialized by the hardcoded MAX_STATES value in the header file slcompress.h. Calling sl_compress_init() with a value greater than MAX_STATES will cause cause writing outside the slcompress structure - bad things happen. sl_compress_init() is currently used like this in the kernel PPP driver, if_ppp.c: #ifdef VJC case PPPIOCSMAXCID: if (error = suser(p->p_ucred, &p->p_acflag)) return (error); s = splnet(); sl_compress_init(&sc->sc_comp, *(int *)data); splx(s); break; #endif in this case, if this ioctl routine is ever issued with a value other than -1 or with a value greater MAX_STATES, random writes into other unknown data structures will occur! >How-To-Repeat: Call sl_compress_init() with a max_state value of i.e. 64. (Caution: make a backup before doing this!). >Fix: Immediately disable the usage of any parameter for max_state other than -1 now! For the future, make the tstate and rstate structures in struct slcompress resize dynamically so sl_compress_init() is able to do what it should be able to do. >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message