kern/66386: Buffer overrun in the 'in_pcbopts' function.
Maxim Konovalov
maxim at macomnet.ru
Sun May 9 06:50:19 PDT 2004
The following reply was made to PR kern/66386; it has been noted by GNATS.
From: Maxim Konovalov <maxim at macomnet.ru>
To: Andrei Iltchenko <iltchenko at yahoo.com>
Cc: bug-followup at freebsd.org
Subject: Re: kern/66386: Buffer overrun in the 'in_pcbopts' function.
Date: Sun, 9 May 2004 17:44:23 +0400 (MSD)
On Sat, 8 May 2004, 06:33-0700, Andrei Iltchenko wrote:
[...]
> >Description:
> The 'ip_pcbopts' function from 'ip_output.c' features a buffer overrun which
> takes place whenever either an 'IPOPT_LSRR' or an 'IPOPT_SSRR' option is supplied.
> Here's the offending piece of code:
> /*
> * Then copy rest of options back
> * to close up the deleted entry.
> */
> ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
> sizeof(struct in_addr)),
> (caddr_t)&cp[IPOPT_OFFSET+1],
> (unsigned)cnt + sizeof(struct in_addr));
> break;
>
> The problem in question is the last argument in the above call to
> 'ovbcopy', which runs over the end of the buffer by 7 bytes (i386).
> >How-To-Repeat:
>
> >Fix:
> The call to 'ovbcopy' should be rewritten to read:
> /*
> * Then copy rest of options back
> * to close up the deleted entry.
> */
> ovbcopy((caddr_t)(&cp[IPOPT_OFFSET+1] +
> sizeof(struct in_addr)),
> (caddr_t)&cp[IPOPT_OFFSET+1],
> (unsigned)cnt - IPOPT_MINOFF-1);
> break;
Did you mean "(unsigned)cnt - (IPOPT_MINOFF - 1))"?
Index: ip_output.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.215
diff -u -r1.215 ip_output.c
--- ip_output.c 14 Apr 2004 01:13:14 -0000 1.215
+++ ip_output.c 9 May 2004 13:40:41 -0000
@@ -1735,7 +1735,7 @@
*/
bcopy((&cp[IPOPT_OFFSET+1] + sizeof(struct in_addr)),
&cp[IPOPT_OFFSET+1],
- (unsigned)cnt + sizeof(struct in_addr));
+ (unsigned)cnt - (IPOPT_MINOFF - 1));
break;
}
}
%%%
--
Maxim Konovalov
More information about the freebsd-bugs
mailing list