Date: 7 Feb 2000 07:15:54 -0000 From: sascha@schumann.cx To: FreeBSD-gnats-submit@freebsd.org Cc: sascha@schumann.cx Subject: kern/16552: appropiate buffer size check Message-ID: <20000207071554.7203.qmail@schumann.cx>
next in thread | raw e-mail | index | archive | help
>Number: 16552
>Category: kern
>Synopsis: sys/dev/ppbus/pcfclock.c lacks a proper buffer size check
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Feb 6 23:30:01 PST 2000
>Closed-Date:
>Last-Modified:
>Originator: Sascha Schumann
>Release: FreeBSD 4.0-CURRENT i386
>Organization:
>Environment:
NA
>Description:
By passing a too small buffer into pcfclock_read(), an overrun
can happen.
>How-To-Repeat:
int fd;
char buf[3];
fd = open("/dev/pcfclock0", O_RDONLY);
read(fd, buf, 3);
>Fix:
--- /usr/src/sys/dev/ppbus/pcfclock.c Sun Jan 23 15:41:04 2000
+++ pcfclock.c Sat Jan 29 12:13:38 2000
@@ -311,6 +309,9 @@
u_int unit = minor(dev);
char buf[18];
int error = 0;
+
+ if (uio->uio_resid < 18)
+ return (ERANGE);
error = pcfclock_read_dev(dev, buf, PCFCLOCK_MAX_RETRIES);
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000207071554.7203.qmail>