Requesting clarification for FreeBSD-SA-15:04.igmp
Shawn Hoffman
godisgovernment at gmail.com
Fri Feb 27 23:32:48 UTC 2015
Hi,
I would like more clarification to be provided about who/what is
affected by this patch.
As we can see, amd64 is not affected:
( 9.3-RELEASE, md5 c4605d83b454c7633149a4eb3baa8b83 )
.text:FFFFFFFF80A04AA6 mov r14, [rbp+var_88]
.text:FFFFFFFF80A04AAD add cs:igmpstat_0.igps_rcv_v3_queries, 1
.text:FFFFFFFF80A04AB5 movzx ecx, word ptr [r14+0Ah]
.text:FFFFFFFF80A04ABA rol cx, 8
.text:FFFFFFFF80A04ABE movzx ebx, cx
; rbx = ((u64)(u16)ntohs(igmp_numsrc)) << 2
.text:FFFFFFFF80A04AC1 shl rbx, 2
; rdi = (u16)(((u64)(u16)ntohs(igmp_numsrc)) << 2)
.text:FFFFFFFF80A04AC5 movzx edi, bx
.text:FFFFFFFF80A04AC8 mov ecx, ebx
.text:FFFFFFFF80A04ACA cmp rbx, rdi
; u64 compare
.text:FFFFFFFF80A04ACD ja fail_igps_rcv_tooshort
This is because the result type of ntohs is the same as uint16_t, and the result
of sizeof() is size_t. Because of this, 32bit x86 should not be
vulnerable either.
I can only assume platforms where the int type is <= 16bits may
actually be vulnerable.
I have no idea if freebsd actually uses such configurations.
I think this information should be clarified in the security
advisories (which in
this case, only give explicit details on how to patch "a RELEASE version of
FreeBSD on the i386 or amd64 platforms" - which are not affected afaict).
-Shawn
More information about the freebsd-security
mailing list