Date: Sat, 8 May 2004 06:33:55 -0700 (PDT) From: Andrei Iltchenko <iltchenko@yahoo.com> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/66386: Buffer overrun in the 'in_pcbopts' function. Message-ID: <200405081333.i48DXtnd039011@www.freebsd.org> Resent-Message-ID: <200405081340.i48DeIjL059514@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 66386
>Category: kern
>Synopsis: Buffer overrun in the 'in_pcbopts' function.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat May 08 06:40:18 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Andrei Iltchenko
>Release: FreeBSD 4.7
>Organization:
Compuware
>Environment:
FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33FreeBSD glora.wanadoo.nl 4.7-RC FreeBSD 4.7-RC #1: Sun Sep 29 16:33:54 CEST 2002 root@:/usr/src/sys/compile/GLORA i386:54 CEST 2002 root@:/usr/src/sys/compile/GLORA i386
>Description:
The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which
takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied.
Here's the offending piece of code:
/*
* Then copy rest of options back
* to close up the deleted entry.
*/
ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
sizeof(struct in_addr)),
(caddr_t)&cp[IPOPT_OFFSET+1],
(unsigned)cnt + sizeof(struct in_addr));
break;
The problem in question is the last argument in the above call to
'ovbcopy', which runs over the end of the buffer by 7 bytes (i386).
>How-To-Repeat:
>Fix:
The call to 'ovbcopy' should be rewritten to read:
/*
* Then copy rest of options back
* to close up the deleted entry.
*/
ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
sizeof(struct in_addr)),
(caddr_t)&cp[IPOPT_OFFSET+1],
(unsigned)cnt - IPOPT_MINOFF-1);
break;
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405081333.i48DXtnd039011>