Date: Wed, 24 Mar 1999 12:57:54 +0900 (JST) From: futatuki@fureai.or.jp To: FreeBSD-gnats-submit@freebsd.org Subject: kern/10765: buffer over run on msgrcv() system call Message-ID: <199903240357.MAA01108@sheep.adin.co.jp>
next in thread | raw e-mail | index | archive | help
>Number: 10765 >Category: kern >Synopsis: buffer over run on msgrcv() system call >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Mar 23 20:10:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Yasuhito FUTATSUKI >Release: FreeBSD 3.1-RELEASE i386 >Organization: >Environment: FreeBSD 3.1-RELEASE i386 / FreeBSD 2.2.7-RELEASE i386 >Description: msgrcv(msqid, msgp, msgsz, msgtyp, msgflg) copies larger size of sage data than specified in msgsz when 1. msgsz is larger than `msgssz', and 2. msgsz is not multiples of `msgssz' where msgssz is the size of message segment in bytes, which is specified in kernel configration option MSGSSZ, the default is 8. >How-To-Repeat: Assume msgssz is 8, message que of id msgid is accessable, a message of type msgtyp and size 20 bytes was sent, then struct { long mtype; char mtext[20]; long some_data; } mymsg; msgrcv(msqid, (void*)mymsg, 20, msgtyp, 0); will crash mymsg.some_data . >Fix: *** sys/kern/sysv_msg.c.dist Mon Mar 30 18:50:35 1998 --- sys/kern/sysv_msg.c Wed Mar 24 10:52:34 1999 *************** *** 993,1002 **** for (len = 0; len < msgsz; len += msginfo.msgssz) { size_t tlen; ! if (msgsz > msginfo.msgssz) tlen = msginfo.msgssz; else ! tlen = msgsz; if (next <= -1) panic("next too low #3"); if (next >= msginfo.msgseg) --- 993,1002 ---- for (len = 0; len < msgsz; len += msginfo.msgssz) { size_t tlen; ! if (msgsz - len > msginfo.msgssz) tlen = msginfo.msgssz; else ! tlen = msgsz -len; if (next <= -1) panic("next too low #3"); if (next >= msginfo.msgseg) >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903240357.MAA01108>