From owner-freebsd-hackers@FreeBSD.ORG Tue Jul 13 23:26:10 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 192AB16A4CE for ; Tue, 13 Jul 2004 23:26:10 +0000 (GMT) Received: from chococat.sd.dreamhost.com (chococat.sd.dreamhost.com [66.33.206.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0149343D3F for ; Tue, 13 Jul 2004 23:26:10 +0000 (GMT) (envelope-from tedu@coverity.com) Received: from webmail.coverity.com (localhost [127.0.0.1]) by chococat.sd.dreamhost.com (Postfix) with SMTP id 66A59FA1D; Tue, 13 Jul 2004 16:26:08 -0700 (PDT) Received: from 66.93.171.98 (SquirrelMail authenticated user tedu@coverity.com) by webmail.coverity.com with HTTP; Tue, 13 Jul 2004 16:26:08 -0700 (PDT) Message-ID: <16734.66.93.171.98.1089761168.spork@webmail.coverity.com> Date: Tue, 13 Jul 2004 16:26:08 -0700 (PDT) From: "Ted Unangst" To: hackers@freebsd.org User-Agent: DreamHost Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Wed, 14 Jul 2004 12:06:33 +0000 cc: rees@umich.edu Subject: out of bounds in rpcclnt X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jul 2004 23:26:10 -0000 the following code, around line 562 in sys/rpc/rpcclnt.c, exceeds the bounds of the array. each array is only four bytes, the [4] is too much. /* Initialize other non-zero congestion variables */ rpc->rc_srtt[0] = rpc->rc_srtt[1] = rpc->rc_srtt[2] = rpc->rc_srtt[3] = rpc->rc_srtt[4] = (RPC_TIMEO << 3); rpc->rc_sdrtt[0] = rpc->rc_sdrtt[1] = rpc->rc_sdrtt[2] = rpc->rc_sdrtt[3] = rpc->rc_sdrtt[4] = 0;