Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 9 May 2004 06:50:18 -0700 (PDT)
From:      Maxim Konovalov <maxim@macomnet.ru>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/66386: Buffer overrun in the 'in_pcbopts' function.
Message-ID:  <200405091350.i49DoIVv023503@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The following reply was made to PR kern/66386; it has been noted by GNATS.

From: Maxim Konovalov <maxim@macomnet.ru>
To: Andrei Iltchenko <iltchenko@yahoo.com>
Cc: bug-followup@freebsd.org
Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function.
Date: Sun, 9 May 2004 17:44:23 +0400 (MSD)

 On Sat, 8 May 2004, 06:33-0700, Andrei Iltchenko wrote:
 [...]
 > >Description:
 >       The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which
 > takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied.
 >      Here's the offending piece of code:
 >                         /*
 >                          * Then copy rest of options back
 >                          * to close up the deleted entry.
 >                          */
 >                         ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
 >                             sizeof(struct in_addr)),
 >                             (caddr_t)&cp[IPOPT_OFFSET+1],
 >                             (unsigned)cnt + sizeof(struct in_addr));
 >                         break;
 >
 > The problem in question is the last argument in the above call to
 > 'ovbcopy', which runs over the end of the buffer by 7 bytes (i386).
 > >How-To-Repeat:
 >
 > >Fix:
 >       The call to 'ovbcopy' should be rewritten to read:
 >                         /*
 >                          * Then copy rest of options back
 >                          * to close up the deleted entry.
 >                          */
 >                         ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
 >                             sizeof(struct in_addr)),
 >                             (caddr_t)&cp[IPOPT_OFFSET+1],
 >                             (unsigned)cnt - IPOPT_MINOFF-1);
 >                         break;
 
 Did you mean "(unsigned)cnt - (IPOPT_MINOFF - 1))"?
 
 Index: ip_output.c
 ===================================================================
 RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
 retrieving revision 1.215
 diff -u -r1.215 ip_output.c
 --- ip_output.c	14 Apr 2004 01:13:14 -0000	1.215
 +++ ip_output.c	9 May 2004 13:40:41 -0000
 @@ -1735,7 +1735,7 @@
  			 */
  			bcopy((&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)),
  			    &cp[IPOPT_OFFSET+1],
 -			    (unsigned)cnt + sizeof(struct in_addr));
 +			    (unsigned)cnt - (IPOPT_MINOFF - 1));
  			break;
  		}
  	}
 %%%
 
 -- 
 Maxim Konovalov

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200405091350.i49DoIVv023503>