bin/79260: syslogd may accept illegal facility number from
remote.
Simon L. Nielsen
simon at FreeBSD.org
Mon Mar 28 04:10:40 PST 2005
On 2005.03.28 14:27:01 +0400, Gleb Smirnoff wrote:
> On Sat, Mar 26, 2005 at 08:10:05PM +0000, Simon L. Nielsen wrote:
> S> > from remote host. but in struct filed, member variable f_pmask array
> S> > and f_pcmp array is limited to LOG_NFACILITIES. therefore syslogd
> S> > access invalid address in logmsg() when facility is larger than
> S> > LOG_NFACILITIES.
> S>
> S> Have you looked at what the implications of this is, mainly can you
> S> crash syslogd due to this bug?
>
> No, it is impossible to crash syslogd exploiting this bug. We have a magic
> constant 0x3f8, which is anded with facility, so fac can't overflow over 127.
> f_pmask[] and f_pcmp[] fields in struct filed are followed by a big field f_un,
> which is MAXPATHLEN bytes long. That's why we will never read memory outside of
> struct filed.
OK, great. Thanks for looking into this!
--
Simon L. Nielsen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-bugs/attachments/20050328/31fb3c31/attachment.bin
More information about the freebsd-bugs
mailing list