From owner-freebsd-bugs@FreeBSD.ORG Sat May 8 06:40:19 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CCE416A4CE for ; Sat, 8 May 2004 06:40:19 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AF5943D2F for ; Sat, 8 May 2004 06:40:19 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i48DeIbH059515 for ; Sat, 8 May 2004 06:40:18 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i48DeIjL059514; Sat, 8 May 2004 06:40:18 -0700 (PDT) (envelope-from gnats) Resent-Date: Sat, 8 May 2004 06:40:18 -0700 (PDT) Resent-Message-Id: <200405081340.i48DeIjL059514@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Andrei Iltchenko Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD1CF16A4CE for ; Sat, 8 May 2004 06:33:55 -0700 (PDT) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id 858F043D48 for ; Sat, 8 May 2004 06:33:55 -0700 (PDT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i48DXtuj039013 for ; Sat, 8 May 2004 06:33:55 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.11/8.12.11/Submit) id i48DXtnd039011; Sat, 8 May 2004 06:33:55 -0700 (PDT) (envelope-from nobody) Message-Id: <200405081333.i48DXtnd039011@www.freebsd.org> Date: Sat, 8 May 2004 06:33:55 -0700 (PDT) From: Andrei Iltchenko To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Subject: kern/66386: Buffer overrun in the 'in_pcbopts' function. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 08 May 2004 13:40:19 -0000 >Number: 66386 >Category: kern >Synopsis: Buffer overrun in the 'in_pcbopts' function. >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sat May 08 06:40:18 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Andrei Iltchenko >Release: FreeBSD 4.7 >Organization: Compuware >Environment: FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33:54 CEST 2002 root@:/usr/src/sys/compile/GLORA i386:54 CEST 2002 root@:/usr/src/sys/compile/GLORA i386 >Description: The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied. Here's the offending piece of code: /* * Then copy rest of options back * to close up the deleted entry. */ ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)), (caddr_t)&cp[IPOPT_OFFSET+1], (unsigned)cnt + sizeof(struct in_addr)); break; The problem in question is the last argument in the above call to 'ovbcopy', which runs over the end of the buffer by 7 bytes (i386). >How-To-Repeat: >Fix: The call to 'ovbcopy' should be rewritten to read: /* * Then copy rest of options back * to close up the deleted entry. */ ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)), (caddr_t)&cp[IPOPT_OFFSET+1], (unsigned)cnt - IPOPT_MINOFF-1); break; >Release-Note: >Audit-Trail: >Unformatted: