misc/86647: natd copy to limied buffer size without checking range
Stephen Hurd
shurd at sasktel.net
Tue Sep 27 13:20:23 PDT 2005
>Number: 86647
>Category: misc
>Synopsis: natd copy to limied buffer size without checking range
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Sep 27 20:20:22 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Stephen Hurd
>Release: 5.3-RELEASE
>Organization:
>Environment:
FreeBSD fw.bbsdev.net 5.3-RELEASE FreeBSD 5.3-RELEASE #4: Fri Sep 2 14:31:49 CST 2005 admin at fw.bbsdev.net:/usr/src/sys/i386/compile/FW i386
>Description:
In Setup*Redirect() in natd.c, the params are copied to a fixed-length buffer using strlcpy() then parsed. For large round-robin redirects, 128 is occasionally not enough bytes. natd currently truncates the arguments to 128 bytes and then parses. For a redirect_port such as this:
"redirect_port tcp 192.168.0.13:30023,192.168.0.1:30023,192.168.0.7:30023,192.168.0.12:30023,192.168.0.9:30023,192.168.0.4:3002
3 142.165.59.203:telnet"
This truncates to an invalid line without a message to that effect.
>How-To-Repeat:
Add a redirect_* line to a natd config file (or on command-line) with more that 128 chars in the params.
>Fix:
use strdup() to copy the params, or check param length before copying and throw an error if larger than sizeof(buf)-1
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list