bin/79260: syslogd may accept illegal facility number from remote.
Shuichi KITAGUCHI
kit at ysnb.net
Sat Mar 26 10:10:03 PST 2005
>Number: 79260
>Category: bin
>Synopsis: syslogd may accept illegal facility number from remote.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 26 18:10:02 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Shuichi KITAGUCHI
>Release: 6-CURRENT (but all releases may affected)
>Organization:
>Environment:
FreeBSD rhea.k.ysnb.net 6.0-CURRENT FreeBSD 6.0-CURRENT #0: Sat Mar 19 22:27:19 JST 2005 root at rhea.k.ysnb.net:/spool/sys/obj/data/sys/src/sys/RHEA i386
>Description:
syslogd can accept priority number which larger than LOG_NFACILITIES from remote host. but in struct filed, member variable f_pmask array and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd access invalid address in logmsg() when facility is larger than LOG_NFACILITIES.
>How-To-Repeat:
send syslog message which facility is larger than LOG_NFACILITIES from remote host.
>Fix:
I think following patch should fix this problem.
--- syslogd.c.old Mon Mar 21 22:19:01 2005
+++ syslogd.c Sun Mar 27 02:44:07 2005
@@ -918,6 +918,12 @@
fac = LOG_FAC(pri);
prilev = LOG_PRI(pri);
+ /* check maximum facility number */
+ if (fac > LOG_NFACILITIES){
+ (void)sigsetmask(omask);
+ return;
+ }
+
/* extract program name */
for (i = 0; i < NAME_MAX; i++) {
if (!isprint(msg[i]) || msg[i] == ':' || msg[i] == '[' ||
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list