From owner-freebsd-bugs@FreeBSD.ORG Sun May 9 06:50:19 2004 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88F2416A4CE for ; Sun, 9 May 2004 06:50:19 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B98B643D48 for ; Sun, 9 May 2004 06:50:18 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i49DoI1b023504 for ; Sun, 9 May 2004 06:50:18 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i49DoIVv023503; Sun, 9 May 2004 06:50:18 -0700 (PDT) (envelope-from gnats) Date: Sun, 9 May 2004 06:50:18 -0700 (PDT) Message-Id: <200405091350.i49DoIVv023503@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org From: Maxim Konovalov Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function. X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Maxim Konovalov List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 May 2004 13:50:19 -0000 The following reply was made to PR kern/66386; it has been noted by GNATS. From: Maxim Konovalov To: Andrei Iltchenko Cc: bug-followup@freebsd.org Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function. Date: Sun, 9 May 2004 17:44:23 +0400 (MSD) On Sat, 8 May 2004, 06:33-0700, Andrei Iltchenko wrote: [...] > >Description: > The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which > takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied. > Here's the offending piece of code: > /* > * Then copy rest of options back > * to close up the deleted entry. > */ > ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + > sizeof(struct in_addr)), > (caddr_t)&cp[IPOPT_OFFSET+1], > (unsigned)cnt + sizeof(struct in_addr)); > break; > > The problem in question is the last argument in the above call to > 'ovbcopy', which runs over the end of the buffer by 7 bytes (i386). > >How-To-Repeat: > > >Fix: > The call to 'ovbcopy' should be rewritten to read: > /* > * Then copy rest of options back > * to close up the deleted entry. > */ > ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] + > sizeof(struct in_addr)), > (caddr_t)&cp[IPOPT_OFFSET+1], > (unsigned)cnt - IPOPT_MINOFF-1); > break; Did you mean "(unsigned)cnt - (IPOPT_MINOFF - 1))"? Index: ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.215 diff -u -r1.215 ip_output.c --- ip_output.c 14 Apr 2004 01:13:14 -0000 1.215 +++ ip_output.c 9 May 2004 13:40:41 -0000 @@ -1735,7 +1735,7 @@ */ bcopy((&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)), &cp[IPOPT_OFFSET+1], - (unsigned)cnt + sizeof(struct in_addr)); + (unsigned)cnt - (IPOPT_MINOFF - 1)); break; } } %%% -- Maxim Konovalov